Announcement

Collapse
No announcement yet.

how to monitor DNS Traffic

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • how to monitor DNS Traffic

    Dear Techies,

    i have windows 2003 Active Directory in my environment and DNS is AD integrated. About two months back i have configured Additional DC to Primary DC. now everything is going fine related to Active Directory.

    Now the question is...... i want to monitor how many queries are coming to DNS server from clients.

    can any one suggest one nice tool to get out of this. Any immediate help will be highly appreciated.

    Thanks in advance.


    cheers,
    gowtham

  • #2
    Re: how to monitor DNS Traffic

    Originally posted by gowtham View Post
    Dear Techies,

    i have windows 2003 Active Directory in my environment and DNS is AD integrated. About two months back i have configured Additional DC to Primary DC. now everything is going fine related to Active Directory.

    Now the question is...... i want to monitor how many queries are coming to DNS server from clients.

    can any one suggest one nice tool to get out of this. Any immediate help will be highly appreciated.

    Thanks in advance.


    cheers,
    gowtham
    You can use system monitor in conjunction with network monitor and logs to see what's going on with DNS.

    Here's a link that will help you set it some of the built-in monitoring tools for this purpose.

    http://www.tech-faq.com/monitoring-a...ting-dns.shtml
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: how to monitor DNS Traffic

      Alternatively you could use Wireshark to monitor the traffic on your network.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: how to monitor DNS Traffic

        Dear Techies,

        Thanks for your reply.

        As per your suggestion i have monitored my DNS traffic with windows Performance monitor and i got the following queries and responses.


        Reported on \\domain
        Date: 12/24/2008
        Time: 8:51:32 AM
        Value: Default
        Data: Current Activity
        Interval: 1.00 seconds
        Computer: \\domain
        Object: DNS

        TCP Message Memory 4141257684
        TCP Query Received 66.000
        TCP Query Received/se 0.000
        TCP Response Sent 67.000
        TCP Response Sent/sec 0.000
        Total Query Received 2239894.000
        Total Query Received/sec 12.001
        Total Response Sent 1812687.000
        Total Response Sent/sec 4.000

        Now you have clarify that the above values are normal or abnormal. If the above values are abnormal what are the things i need to check. Because my network department is saying that... lot of traffic is coming out form DNS server.

        any immediate help will be highly appreciated.

        Thanks in advance,

        cheers
        gowtham
        Last edited by gowtham; 24th December 2008, 06:12.

        Comment


        • #5
          Re: how to monitor DNS Traffic

          I would place a sniffer to see what and who is doing the dns queries.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: how to monitor DNS Traffic

            ok thank you... i am waiting for your reply.

            Comment


            • #7
              Re: how to monitor DNS Traffic

              gowtham, just to confirm, you need to run wireshark or network monitor. It will show you the actual traffic between the hosts you select (i.e. all to/from the DNS server). This information will likely give you the answer you are after.
              Download it and run it, it is fairly straight forward to use.
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: how to monitor DNS Traffic

                My question is: Why do you need to monitor this?

                Comment


                • #9
                  Re: how to monitor DNS Traffic

                  Dear Joeqwerty,

                  i am not asking to monitor the DNS Traffic. please review my second post. i have already monitored my DNS Traffic by using windows performance monitor as per your suggestion. And i have posted the queries that which my DNS server received. please find the below values........

                  Reported on \\domain
                  Date: 12/24/2008
                  Time: 8:51:32 AM
                  Value: Default
                  Data: Current Activity
                  Interval: 1.00 seconds
                  Computer: \\domain
                  Object: DNS

                  TCP Message Memory 4141257684
                  TCP Query Received 66.000
                  TCP Query Received/se 0.000
                  TCP Response Sent 67.000
                  TCP Response Sent/sec 0.000
                  Total Query Received 2239894.000
                  Total Query Received/sec 12.001
                  Total Response Sent 1812687.000
                  Total Response Sent/sec 4.000

                  just i want to know that the above values are reasonable are not......

                  cheers,
                  gowtham

                  Comment


                  • #10
                    Re: how to monitor DNS Traffic

                    gowtham,

                    I believe no one has answered your question because whether or not those numbers are reasonable is very subjective. There are best practices for this type of thing and usually more information is needed. What you have provided only gives half the picture, which might be ok on one server may not be on another. There are lots of reasons for this that I won't go into.

                    Read this for information on that...
                    http://technet.microsoft.com/en-us/l.../cc778608.aspx

                    If you feel that your server is overloaded you can install a secondary dns server, or a caching server to help offload some of the work to other hardware.
                    Last edited by ahinson; 26th December 2008, 20:11.
                    Andrew

                    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                    Comment


                    • #11
                      Re: how to monitor DNS Traffic

                      Originally posted by gowtham View Post
                      Because my network department is saying that... lot of traffic is coming out form DNS server.
                      This sentence was the most interesting to me. Did they supply you with any more information? What type of traffic did they say is coming out of the DNS server? What exactly do they classify as "a lot of traffic"? 50mb? 500mb? What i'm about to say has already been said in one form or another by gforceindustries, Dumber and AndyJG247, but maybe the fourth time is the charm: Have you sniffed traffic comign out of the DNS server? What type of switches are you using? If they're any kind of business class product then they probably have some kind of information that is readily available. Just look at the stats for the port that the server is on. Harness NetFlow / sFlow if your switches support it. If you don't want to run NetMon / WireShark on the server itself just mirror the switch port to some kind of snoop server or network TAP.

                      Originally posted by gowtham View Post
                      Reported on \\domain
                      Date: 12/24/2008
                      Time: 8:51:32 AM
                      Value: Default
                      Data: Current Activity
                      Interval: 1.00 seconds
                      Computer: \\domain
                      Object: DNS
                      How long did you run this test for? It would be best to run the test for a few days (or weeks) and then observe traffic patterns and see when the DNS traffic gets heaviest.
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: how to monitor DNS Traffic

                        The DNS results are rather subjective.
                        It doesn't say much unless you create a timeline for about 13 weeks or so..
                        If you have a proxy server in place than that thing would make a lot of queries and that is quite common.
                        However, saying that, I doesn't say if you have a high query load or no.
                        So a lot af queries doesn't mean you have a problem but yet it might be.

                        If the network department is complaining, maybe they can tell who is making all those queries.
                        From there you can drill down a bit more to those specific macines.
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment

                        Working...
                        X