none
Event logging to trace the source of any packet. RRS feed

  • Question

  • Hi Team,

    Is it possible to trace the source of any packet hitting DNS server ?

    One The events occur every 30 mins so logging can be enabled on these DNS servers 5 minutes before the expected incoming event and stopped 5 mins after the time. We can then go that source DNS (if request is coming from another forwarder DNS) and repeat the same process until we find the actual sender IP

    Thanks in advance

    Tuesday, November 14, 2017 2:14 PM

All replies

  • Yes, it is possible.  Check all the boxes shown in the below screenshot.  This area is found by right-clicking on your DNS server object > select Properties > Debug Logging tab.  In the "Transport protocol" sub-section you might also want to select TCP as well as UDP.  Just for the sake of completeness.  Most DNS queries are done in UDP, but every once in a while you could have a one-off using TCP.


    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, November 14, 2017 4:44 PM
  • Thanks a ton.

    Could I implement this in a big live environment or it has risks associated with it ?

    Tuesday, November 14, 2017 5:55 PM
  • There are always risks when implementing in a big environment.  Depending on how big it is, you could collect so much log data concurrently that it actually slows down the DNS server itself.  That's why you'll notice "log packets for debugging" is off by default.  My advice is turn it on only for as long as it takes to isolate what you're looking for, and then turn it back off.  

    If these answers helped don't forget to mark them as such.


    Best Regards, Todd Heron | Active Directory Consultant

    Wednesday, November 15, 2017 12:15 AM
  • Hi ,

    >>Could I implement this in a big live environment or it has risks associated with it ?

    Agree with Todd Heron, Logging definitely slows things down.Even the process of creating the strings to log will have an affect on performance.

    I would suggest you debug in a development environment than production.

    In addition,if the information provided was helpful, please "mark it as answer" to help other community members find the helpful reply quickly.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 15, 2017 10:01 AM
  • Hi ranabrij,

    Just to check if the above reply could be of help, if yes, you may mark useful reply as answer, if you have other concerns, welcome to feedback.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 22, 2017 9:10 AM
  • Hi ,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 8, 2017 1:32 AM
  • The issue was obviously resolved based on the very words of the OP in his first reply.   As is typical from new users though, he didn't bother to mark the issue as resolved.
    Friday, December 8, 2017 1:50 PM