Windows 2003 dns request logs

I like the concept of an Admin Console. I will have to check it out. How does the OpenDNS client work with clients in a windows domain environment? I suppose the the client tracks user activity going to the internal domain controller rather than the external OpenDNS server?

Or perhaps it tracks any user activity no matter what DNS server the clients request forward to? I like the concept of a management portal. I believe that the client determines if the DNS request is internal or external. If internal, it sends it to the local domain DNS. Only DNS queries that require external resolution are tracked. You can also configure exceptions. I don't want our email server to resolve to our external IP, for example. I thought, "I can't be the first one with this issue.

Surely, they've thought of this. There's a section in there that says, "Want to point some domains to your internal servers? List them here. One nice thing Cisco did was re-imagine the policies as if they were firewall rules. The policies are checked and the first match wins. A single policy say, "no porn" can be applied to every machine account.

Another policy "block all e-commerce" could be applied to the receptionist PC. You could add "allow Walmart. All the policies are defined and managed on the OpenDNS central site. They're really not "pushed" to the client. Users can click a link on the block page to submit a request. Admin gets the request. The following sections discuss DNS server performance considerations when additional logging is enabled.

DNS debug logging is not the same as the enhanced DNS logging and diagnostics feature discussed in this topic. Debug logging is discussed here because it is also a tool that is available for DNS logging and diagnostics. See Using server debugging logging options for more information about DNS debug logging. The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor.

Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed. There is no apparent performance impact for query rates of 50, QPS and lower. However, it is always advisable to monitor DNS server performance whenever additional logging is enabled. If the DNS server is running Windows Server Technical Preview or later, diagnostic logging is already installed and you can skip the first procedure, performing only the steps in To enable DNS diagnostic logging below.

Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. If the directory does not yet exist, you will be asked if you wish to create it. Click Yes and confirm that All files were successfully unzipped is displayed, then click Ok. In the location where files were unzipped, double-click the Windows Update file, for example Windows8. The Windows Update Standalone Installer will verify that the computer meets requirements to install the update.

These requirements include some prerequisite updates. When verification is complete, click Yes when asked if you wish to install the Hotfix for Windows KB This blog post will walk you through how to enable and track down hosts performing DNS queries for non-existent records.

Once the wildcard record has been created, we will enable Debug Logging. Please note, this will generate a large and verbose text file. You can always expand the logging to include more functions, but for now, use the above.

You might want to choose a better place if running in a production environment. Collecting DNS query logs via Sysmon. Collecting from the relevant Windows Event Log channels.

File-based DNS debug logging. The deployment and resources to be used for DNS log collection will also depend on whether the logs will be collected from the DNS server a critical asset or from DNS clients.

Each of these will be covered in further detail in this blog post. As of Sysmon version These events are generated when a process executes a DNS query, whether the result is successful or fails, cached or not. This is advisable due to the noisy nature of this type of event. These types of additions can be:. Exclusion rules about which domains to exclude. If excluding certain top level domains to reduce the amount of logs collected , be more specific with domains.

Rules to omit queries involving popular third-party applications like Google, Mozilla, as well as CDNs. Rules to exclude ad serving sites and other ad-related services These are only suggestions for rules and are by all means non-exhaustive. There are Sysmon configuration samples available online for use and adaptation. Since DNS queries generate a large amount of logs, you may opt to forward Sysmon DNS events in their own output stream to a central log server instead of merging them with other DNS client event sources.