RE: OT: Tool to identify Evaluate DNS clients?

Hi William,

I don't think I have been following this thread very well. Why can't you
find the origin of the DNS requests?

Jason

> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
> Sent: 18 August 2004 06:44
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OT: Tool to identify Evaluate DNS clients?
> 
> http://www.ISAserver.org
> 
> Hi Jason
> 
> That's exactly what I think the problem is, but with 1300 
> workstations it's tricky to track the culprit down (let's not 
> get into a discussion over why my AV won't fix it... within 
> the next 3 months I will have it replaced -
> woohoo!!)
> 
> -----Original Message-----
> From: Jason Merrique [mailto:j.merrique@xxxxxxxxxxxxxxx]
> Sent: 17 August 2004 04:08 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OT: Tool to identify Evaluate DNS clients?
> 
> http://www.ISAserver.org
> 
> If one of your desktops is generating a lot of DNS requests, 
> it might be infected with a mass mailer worm. These need to 
> do a DNS lookup for every bit of spam they're sending out. 
> Worth a look.
> 
> Jason 
> 
> > -----Original Message-----
> > From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> > Sent: 17 August 2004 14:36
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OT: Tool to identify Evaluate DNS clients?
> > 
> > http://www.ISAserver.org
> > 
> > Hmmm, tried to avoid saying that... what I am seeing is that my 
> > internet link is saturated with outbound DNS requests. In 
> my Firewall 
> > Logs I can only see my 2 DNS servers as doing the requests for 
> > outbound DNS queries, which is the way it is meant to be...
> > 
> > But what I am presuming is that some client workstation is 
> > generating/causing a helluva lot of DNS requests, either 
> via directly 
> > contacting my DNS Server, or by requesting Port 80 traffic 
> which will 
> > then route via my Firewall to my DNS Server, and then back 
> through my 
> > firewall.
> > 
> > So I was hoping to tackle the easier scenario first, and hoping to 
> > generate some sort of realtime/historical report which will show me 
> > the "Top Requesters" for DNS resolution against my DNS Servers...
> > 
> > Is there something like this?
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: 17 August 2004 03:24 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OT: Tool to identify Evaluate DNS clients?
> > 
> > http://www.ISAserver.org
> > 
> > Hi William,
> > 
> > Are you saying that the ISA firewall is generating a lot of DNS 
> > traffic?
> > 
> > Thanks!
> > 
> > Tom
> > www.isaserver.org/shinder
> > Get the book!
> > Tom and Deb Shinder's Configuring ISA Server 2004
> > http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > 
> > 
> > 
> > -----Original Message-----
> > From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> > Sent: Tuesday, August 17, 2004 6:11 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] OT: Tool to identify Evaluate DNS clients?
> > 
> > 
> > http://www.ISAserver.org
> > 
> > Hi there
> > 
> > I seem to be experiencing an extreme amount of outbound DNS 
> requests 
> > via my FIREWALL to my local DNS Servers. I am quite confident that 
> > this traffic is not legitimate and is most likely the source of an 
> > *evil* application ;)
> > 
> > Does anyone know if it is at all possible to "query" a Win2K DNS 
> > Server to see which clients are in fact making the DNS 
> requests? I.e. 
> > I want to be able to see which PC is at the top of the list with 
> > regards the number of queries, or at least see which "dodgy" domain 
> > names are being requested from which PC's...
> > 
> > Any ideas?
> > Thanks
> > William R.
> > 
> > 
> ---------------------------------------------------------------------
> > Everything in this e-mail and attachments relating to the official 
> > business of Columbus Stainless is proprietary to the company. It is 
> > confidential, legally privileged and protected by law. Columbus 
> > Stainless does not own and endorse any other content. Views and 
> > opinions are those of the sender unless clearly stated as 
> being that 
> > of Columbus Stainless. The person addressed in the e-mail 
> is the sole 
> > authorised recipient.  Please notify the sender immediately 
> if it has 
> > unintentionally reached you and do not read, disclose or use the 
> > content in any way. Whilst all reasonable steps are taken to ensure 
> > the accuracy and integrity of information and data transmitted 
> > electronically and to preserve the confidentiality thereof, no 
> > liability or responsibility whatsoever is accepted if 
> information or 
> > data is,for whatever reason, corrupted or does not reach 
> its intended 
> > destination.
> > 
> ---------------------------------------------------------------------
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: 
> http://www.windowsnetworking.com Leading 
> > Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: 
> http://www.msexchange.org Windows 
> > Security Resource Site: http://www.windowsecurity.com/ Network 
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: 
> http://www.windowsnetworking.com Leading 
> > Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: 
> http://www.msexchange.org Windows 
> > Security Resource Site: http://www.windowsecurity.com/ Network 
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > robertson.william@xxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> ---------------------------------------------------------------------
> > Everything in this e-mail and attachments relating to the official 
> > business of Columbus Stainless is proprietary to the company. It is 
> > confidential, legally privileged and protected by law. Columbus 
> > Stainless does not own and endorse any other content. Views and 
> > opinions are those of the sender unless clearly stated as 
> being that 
> > of Columbus Stainless. The person addressed in the e-mail 
> is the sole 
> > authorised recipient.  Please notify the sender immediately 
> if it has 
> > unintentionally reached you and do not read, disclose or use the 
> > content in any way. Whilst all reasonable steps are taken to ensure 
> > the accuracy and integrity of information and data transmitted 
> > electronically and to preserve the confidentiality thereof, no 
> > liability or responsibility whatsoever is accepted if 
> information or 
> > data is,for whatever reason, corrupted or does not reach 
> its intended 
> > destination.
> > 
> ---------------------------------------------------------------------
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: 
> http://www.windowsnetworking.com Leading 
> > Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: 
> http://www.msexchange.org Windows 
> > Security Resource Site: http://www.windowsecurity.com/ Network 
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as: 
> > j.merrique@xxxxxxxxxxxxxxx To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com 
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org 
> Windows Security Resource Site: 
> http://www.windowsecurity.com/ Network Security Library: 
> http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> robertson.william@xxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ---------------------------------------------------------------------
> Everything in this e-mail and attachments relating to the 
> official business of Columbus Stainless is proprietary to the 
> company. It is confidential, legally privileged and protected 
> by law. Columbus Stainless does not own and endorse any other 
> content. Views and opinions are those of the sender unless 
> clearly stated as being that of Columbus Stainless. The 
> person addressed in the e-mail is the sole authorised 
> recipient.  Please notify the sender immediately if it has 
> unintentionally reached you and do not read, disclose or use 
> the content in any way. Whilst all reasonable steps are taken 
> to ensure the accuracy and integrity of information and data 
> transmitted electronically and to preserve the 
> confidentiality thereof, no liability or responsibility 
> whatsoever is accepted if information or data is,for whatever 
> reason, corrupted or does not reach its intended destination.
> ---------------------------------------------------------------------
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com 
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org 
> Windows Security Resource Site: 
> http://www.windowsecurity.com/ Network Security Library: 
> http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: j.merrique@xxxxxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 


Other related posts: