Monitor Outbound DNS (Website) Traffic


I'm trying to filter out logs to look for suspicious outbound traffic to external websites. On the DNS server I can setup debug logging, but I don't see a way to view the originating source of the computer making the DNS request to the server. Is there a way to capture this data to learn the source IP address of DNS requests arriving at my server?

Best Answer

I'd consider using Wireshark or Microsoft's Network Monitor with a capture filter of sufficient granularity to limit capture to the DNS traffic you're looking for. Once you've got the data captured you can go back and perform analysis.

I'd probably use the tshark command-line program in Wireshark to capture traffic into relatively small files, then use tshark again on another machine to dump the files and grep through them. A capture command line might be something like:

tshark -i <inteface number here> -b filesize:32768 -w dns_capture udp and dst port 53 and dst host x.x.x.x

You can get your machine's interface number using tshark -D. The -b filesize:32768 argument specifies capturing into a buffer of 32,768KB (32MB) before starting a new capture file. The -w dns_capture specifies a base output filename of dns_capture (which will have an incremental count and timestamp added as each file fills). The udp and dst port 53 and dst host x.x.x.x is a tcpdump capture filter that specifies that only udp packets with destination port 53 and a destination address of x.x.x.x (where you should substitute the DNS server's IP address) will be captured.

Once you've got the files you could use any number of PCAP file analysis tools. Personally, I'd just use tshark with the -r argument to read files and dump them out as human-readable text using the -T text argument. Then I'd just grep the output. (I'd do this mainly because I have all the tools ready to go. There are lots of other ways you could do it, too.)