none
DNS Query and logs RRS feed

  • Question

  • Hello All,

    We have noticed some weired DNS queries record in our DNS servers.  We are not able to understand what does it mean and who is sending these queries and why this is logging in our DNS server.  I am very much concerned may it is some kind of virus or spamming.  

    8/13/2016 2:49:38 AM 0B44 PACKET  0000001818ACE0B0 UDP Rcv 172.16.2.1     f11d   Q [0001   D   NOERROR] A     zmpxtaphprah.domain.com

    8/13/2016 2:49:38 AM 0B44 PACKET  0000001818ACE0B0 UDP Rcv 172.16.2.1     f11d   Q [0001   D   NOERROR] A     zmpxtarere.domain.com

    Please somebody help me to understand this.

    Thanks in advance for any valuable help to sort out this issue.

    Thanks,

    Abul


    • Edited by ABUL FAZAL Monday, August 22, 2016 4:55 PM
    Monday, August 22, 2016 4:39 PM

Answers

  • If it's random hostnames for your domain, it's most likely Google Chrome.   When Chrome launches, it'll make three queries to random hostnames that look similar to your logs.  As far as I know, it'll only do it one time when it first opens.  So if the random queries are very infrequent, then Chrome would be a good guess.  If the queries appear to be frequent or are for hosts in another domain, then it is not Chrome.
    Tuesday, August 23, 2016 2:26 PM

All replies

  • In your example: is domain.com your domain, or a random Internet domain?
    Monday, August 22, 2016 9:09 PM
  • Hi It's showing our domain only but with fake host names randomly.
    Tuesday, August 23, 2016 12:57 AM
  • Hi,

    >>8/13/2016 2:49:38 AM 0B44 PACKET  0000001818ACE0B0 UDP Rcv 172.16.2.1     f11d   Q [0001   D   NOERROR] A     zmpxtaphprah.domain.com

    According your logs,the requesting client is '172.16.2.1',the name requested is 'zmpxta**.domain.com',it could be virus,malware or some 3rd-party Internet Broswer.

    So does this '172.16.2.1' is a exist client?You should check it first.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Tuesday, August 23, 2016 2:42 AM
  • If it's random hostnames for your domain, it's most likely Google Chrome.   When Chrome launches, it'll make three queries to random hostnames that look similar to your logs.  As far as I know, it'll only do it one time when it first opens.  So if the random queries are very infrequent, then Chrome would be a good guess.  If the queries appear to be frequent or are for hosts in another domain, then it is not Chrome.
    Tuesday, August 23, 2016 2:26 PM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
    tnmff@microsoft.com.

    Wednesday, August 31, 2016 7:15 AM
  • Hi Ryan Smith,

    Thanks for your valuable advise and we have tried your solution.  For testing purpose we have requested customer to uninstall "Chrome Browser" from selected machines and monitor, and this solve the problem.  This clearly shows that chrome was creating those DNS logs.

    Thanks,

    Thursday, September 8, 2016 7:01 AM