RE: [NTSysADM] Source of DNS queries

[Kennedy, Jim]

It all depends on what you are using, what it is monitoring and where it 
monitoring. In my case I do a traffic capture on all traffic to and from my 
servers.  So I too see the server make the request, and also the client.  Then 
the box analyzes all the traffic. A second monitoring point to and from the 
internet is in the works.


From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 3:19 PM
To: ntsys...@lists.myitforum.com
Subject: Re: [NTSysADM] Source of DNS queries

In this instance I don't know the original source of the query, be it an 
iPhone, PC, server, or whatever.  Trying to find a way to make discovering that 
device as easy as possible.

On Thu, Jan 7, 2016 at 2:44 PM, Ed Ziots 
<eziot...@gmail.com<mailto:eziot...@gmail.com>> wrote:

I agree the malicious iPhone should be blocked then you can parse firewall logs 
to see who are the connection and just put that on a egress filter last 
firewall block rule.

Ed
On Jan 7, 2016 2:42 PM, "Michael B. Smith" 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
Why are you averse to scanning the logs?

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] 
On Behalf Of Richard Stovall
Sent: Thursday, January 7, 2016 1:49 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] Source of DNS queries

I am in the early stages of deploying a SIEM solution and one of the things 
that pop up occasionally are alarms for when a DNS query is conducted and the 
response contains a known-malicious ip.  What I'm trying to do is figure out 
which machine queried the DNS server because the alert just shows that a query 
response with the malicious ip went back to the DNS server.

Short of enabling DNS debug logging on my MS DNS servers and picking through 
them to find the source of the query, is there another solution that's more 
permanent?

I'm thinking that if I had something like a "DNS proxy" that does the kind of 
logging I'm looking for, that would be great.  Essentially a DNS server that 
forwards everything on to the 'regular' servers.

client  <-->  proxy  <-->  internal DNS server  <-->  external DNS servers

Just messing around with ideas.  Anyone have a solution to this already in 
place?  (Preferably one that's affordable for the little guys.  :-)

Thanks,
RS