This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Finding DNS Client Requests

0

My internal DNS servers point to Google DNS 8.8.8.8 for Internet traffic. On my firewall I am seeing some curious traffic where there the DNS servers make a request to a suspicious URL but I cannot find a corresponding web or Internet traffic entry. For instance under normal traffic if a user goes to www.wireshark.org I will see the DNS query from my internal DNS to Google DNS and then see web browser traffic from the user in the web logs. These periodic suspicious entries show up as requests from my DNS servers to Google but I can find no entries in the firewall logs of any client visiting those URLs.

I have setup packet captures on the DNS servers. With a normal query I see the DNS entry from the client to the DNS server followed by the DNS query to Google. With these strange entries all I see is the DNS server contacting Google and then nothing.

What additional traffic besides port 53 should I monitor? Is there some way to monitor for DNS packets that possibly are not connecting on port 53?

asked 02 Feb '16, 15:03

Tim%20Naami's gravatar image

Tim Naami
6112
accept rate: 0%

A sample capture would be nice.

(02 Feb '16, 22:44) Jaap ♦

Two problems. I can't post the PCAPs for confidential reasons. The PCAPs are 20MB+ most of the time as I have to leave them run until I see an alert from the firewall.

(03 Feb '16, 09:15) Tim Naami

20 megs are not a problem, confidentiality is a different issue. Can you post the two packets carrying the DNS query for the "suspicious url" and the DNS response to it (if it ever comes from Google DNS)? File -> Export Specifed Packets -> Range [ 122678, 122913 ] (the values are example ones of course) can do the trick.

(03 Feb '16, 13:42) sindy

One Answer:

0

The question is not so clear to me, but here are some ideas for a diagnostic: - Try shutting off all your machines (perhaps you can, in the night?) and only leave your internal DNS Servers on, then check your firewall logs and see if the curious traffic is still happening. - Then try shutting on one machine by one machine, until you see the curious traffic comng again. - If you suspect the DNS Servers themselves, try starting your DNS Servers in Windows Safe Mode with Networking, and see if the curious traffic is there or not. - Lastly, can you post again with clearer explanations and cases. Best: some sample captures. M.

answered 03 Feb '16, 19:53

thewol's gravatar image

thewol
21114
accept rate: 0%