Network Wizkid

In this article we will take a look at how to capture the number of DNS queries that a Windows server receives.

Prerequisites

• Windows server with the DNS service running
• Users querying the Windows server for DNS
• Administrative access to the Windows server

Steps

• Download the Windows Log Parser here and install it on to the Windows server
• Navigate to the DNS Manager service
• On your selected DNS server, right-click and navigate to Properties > Debug Logging and enable to Log packets for debugging
• Specify the log file path
• Change the remaining setting to meet your requirements. Here is a screenshot of the settings that I configured in my lab

• Open the command prompt as an administrator and change to the following directory

cd "C:\Program Files (x86)\Log Parser 2.2"

• Then enter the following command to output the number of DNS queries received from different hosts. Replace <ADD PATH TO YOUR LOG FILE> with the path to your log file

LogParser -i:TSV -nskiplines:30 -headerRow:off -iSeparator:space -nSep:1 -fixedSep:off -rtp:-1 "SELECT field8 AS IP, REVERSEDNS(IP) AS Name, count(IP) as QueryCount FROM "<ADD PATH TO YOUR LOG FILE>" WHERE field10 = 'Q' GROUP BY IP ORDER BY QueryCount DESC"

To get the best results, I would recommend leaving debugging on for at least 24 hours. Once you’ve got the results needed, I recommend disabling debug logging.