In this instance I don't know the original source of the query, be it an iPhone, PC, server, or whatever. Trying to find a way to make discovering that device as easy as possible.
On Thu, Jan 7, 2016 at 2:44 PM, Ed Ziots <[email protected]> wrote: > I agree the malicious iPhone should be blocked then you can parse firewall > logs to see who are the connection and just put that on a egress filter > last firewall block rule. > > Ed > On Jan 7, 2016 2:42 PM, "Michael B. Smith" <[email protected]> wrote: > >> Why are you averse to scanning the logs? >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Richard Stovall >> *Sent:* Thursday, January 7, 2016 1:49 PM >> *To:* [email protected] >> *Subject:* [NTSysADM] Source of DNS queries >> >> >> >> I am in the early stages of deploying a SIEM solution and one of the >> things that pop up occasionally are alarms for when a DNS query is >> conducted and the response contains a known-malicious ip. What I'm trying >> to do is figure out which machine queried the DNS server because the alert >> just shows that a query response with the malicious ip went back to the DNS >> server. >> >> >> >> Short of enabling DNS debug logging on my MS DNS servers and picking >> through them to find the source of the query, is there another solution >> that's more permanent? >> >> >> >> I'm thinking that if I had something like a "DNS proxy" that does the >> kind of logging I'm looking for, that would be great. Essentially a DNS >> server that forwards everything on to the 'regular' servers. >> >> >> >> client <--> proxy <--> internal DNS server <--> external DNS servers >> >> >> >> Just messing around with ideas. Anyone have a solution to this already >> in place? (Preferably one that's affordable for the little guys. :-) >> >> >> >> Thanks, >> RS >> >
