Re: DNS

From: Tony Gordon (tony.gordon_at_hewitt.com)
Date: 08/16/03

  • Next message: Jannie Hanekom: "RE: Account Lockout -- ARGH" 
    To: "Mark Burnett" <mb@xato.net>
Date: Sat, 16 Aug 2003 15:37:16 -0500

    MS DNS does not log into eventlog (for what you are looking for). I am
    not sure if the logparser works on debug DNS logs. If it does you are all
    set, if not it is not that hard to parse them using either find or findstr
    commands. It is very "sensitive" to what you check on the "Logging" tab.
    Sometimes it just does not log anything (usually when only top portion is
    checked). It seems to start logging if one of the following is also
    checked, UDP, TCP or Full Packets. I usually check everything except Full
    Packets. This gets me almost everything and then I can parse out what I
    need. If I remember it correctly the log file is in %systemroot%\debug.

    Thank you, Tony.
    Tony Gordon, Windows 2000 MCSE
    tony dot gordon at hewitt dot com
    Windows Server Infrastructure
    Phone: 847.295.5000 x14534
    Fax: 847.295.8877
    Hewitt Associates

    "Mark Burnett" <mb@xato.net>
    08/14/2003 01:06 PM

     
            To: focus-ms@lists.securityfocus.com
            cc:
            Subject: Re: DNS

    You could log DNS queries and then use Microsoft's LogParser tool to
    count how many queries are for windowsupdate.com and how many total
    queries are in the log file. LogParser is surprisingly fast at doing
    these types of queries.

    Then use MRTG to graph it all. I actually have an article going up at
    SecurityFocus today or tomorrow on how to configure MRTG using
    counter results from LogParser and other sources.

    Mark Burnett

    On Wed, 13 Aug 2003 17:41:29 -0500, Mendoza Bazan, Luis - (Per)
    wrote:
    >Hi all, I'm working with one w2k DNS server and I would like monitor
    >how many UDP query receive/s are doing to resolve windowsupdate.com
    >or other domain. W2k offers Performance Monitor but the options
    >don't permit select to monitor a specific domain. I would like to
    >use some tool that let me check how many query receive/s are being
    >done vs. the total query receive to detect possible DDoS attacks.
    >Please, send me some information about tools that do this.}
    >
    >Best regards
    >
    >Luis Mendoza
    >
    >
    >---------------------------------------------------------------------
    >------ Your network firewall and IDS products do not prevent Web
    >application attacks - the most common form of online exploitation-
    >resulting in Web defacement, data theft, sabotage and fraud. KaVaDo
    >is the only company that provides a complete suite of Web
    >application security products. Download a FREE whitepaper on
    >"Security Policy Automation for Web
    >Applications":http://www.securityfocus.com/Kavado-focus-ms
    >---------------------------------------------------------------------
    >------

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------

  • Next message: Jannie Hanekom: "RE: Account Lockout -- ARGH"

    Relevant Pages

    • Re: DNS
      ... LogParser works on just about everything. ... is easy to produce sorted totals and more through SQL queries. ... is a sample query to show the top 10 most requested DNS entries from ... >"Security Policy Automation for Web ...
      (Focus-Microsoft)
    • Re: What the heck is this msblast.exe
      ... it wouldn't matter because the patch may not apply if RPC/DCOM has ... > application security products. ... > Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • Re: DNS
      ... You could log DNS queries and then use Microsoft's LogParser tool to ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)