Fri, Mar 23, 2018 11:05 pm
DNS - Standard Query Response Refused
While filtering on
Domain Name System (DNS) queries in the
packet capture tool with a
udp.port==53 on a
OS X El
Capitan (10.11.6), I saw a lot of "Stanard query response refused"
replies in the "Info" field for responses from the DNS server. When
I expanded the "flags" section of the DNS response for those replies
from the DNS server, I saw "Reply code: Refused (5)" for some IP
address lookups, though other DNS queries were being answered with
an IP address.
[ More Info ]
Fri, Jun 09, 2017 11:01 pm
Obtaining public IP address from a command line interface
One way to determine the public
for a system, i.e., the IP address that systems on the Internet will see for the
system when you connect to those external systems, from a
command-line interface (CLI) on a
Mac OS X/macOS
system is to use the
dig +short myip.opendns.com @resolver1.opendns.com.
$ dig +short myip.opendns.com @resolver1.opendns.com
Alternatively, you can use an nslookup command as shown below:
$ nslookup myip.opendns.com resolver1.opendns.com
The nslookup method will work on Microsoft Windows systems as well as
OS X/macOS and Linux sysems.
c:\Users\Public\>nslookup myip.opendns.com resolver1.opendns.com
Both commands submit a
Domain Name System (DNS) query to the
DNS server resolver1.opendns.com, a name server maintained by
When you look up the
fully qualified domain name (FQDN) myip.opendns.com,
the OpenDNS server will return the IP address of the system from which
the DNS query originated, i.e., the system on which you ran the dig or
Tue, Jan 17, 2017 10:30 pm
While using Wireshark
troubleshoot a Domain Name System (DNS)
issue for a server that sits
behind a firewall that performs
Network Address Translation (NAT)
, I noticed a DNS
response coming back where Wireshark showed the following in the "Info"
field for a packet:
Standard query response 0x21e1 No such name PTR 220.127.116.11.in-addr.arpa SOA
The server for which I was performing the troubleshooting has an IP
address of 192.168.1.5, which is a
IP address. There are 3 private IP address ranges; these ranges are also
sometimes referred to as "RFC 1918 addresses", since the private IP address
space is defined in RFC 1918
. A Request for Comments (RFC) is a document published by the
Internet Engineering Task Force (IETF). Some RFCs, such
as RFC 1918 become Internet Standards.
[ More Info ]
Thu, Feb 26, 2015 10:04 pm
Adding a new DNS zone to a Windows Server 2012 DNS server
A Windows Server 2012 Essentials system can function as a Domain Name
System (DNS) server. If the system is functioning as a DNS server you can
add additional zones that are integrated with Active Directory (AD) or you
can add them as file-based zones as you would on a Unix/Linux DNS server.
The Windows DNS server can be configured to support forward or
zones. A primary, secondary, or stub zone can be added.
[ More Info ]
Thu, Feb 19, 2015 11:01 pm
Enabling DNS Logging for Windows Server 2012
I wanted to log DNS queries and responses from all systems using a Windows
Server 2012 DNS server, so that I would have DNS logs available for reference
in the event of issues related to malware, etc. I also wanted to rotate the
log files every night, so that the file size wouldn't grow continually until
it reached the maximum 500 MB size I specified for the log file. Instructions
for doing so for a Windows Server 2012 system are
for doing so on a Microsoft Windows Small Business Server (SBS) are
at Enabling DNS Logging on a Windows
SBS 2003 Server
Sat, Dec 20, 2014 1:58 pm
Viewing history of DNS server and IP Changes for a Domain
If you wish to view a history of
Domain Name System
server changes for a domain name, you can do so through
the WhoISrequest Domain History
, which tracks nameserver changes since 2002 for all COM, NET, ORG,
INFO, BIZ and US domains.
E.g., if I put
sailormoonworld.com, which was registered in 1998, in the search field, I
can see a list of all of the DNS servers that translated the
qualified domain name (FQDN) to an IP address since WhoISrequest began
tracking name server changes in 2002. The history information for that
particular domain shows that registration for the domain name lapsed in
2013 and the domain name was picked up by a
domain name squatter
then. The domain name squatter let the domain registration lapse in the
summer of 2014. I re-registered the domain name for the original owner, a
family member, in October.
You can also view such information through the
DNS History site, which notes
"Here at DNS History we have been crawling DNS records since 2009, our index
currently contains over 200 million domains and discovering over a billion DNS
If I put sailormoonworld.com in the Doman Search field on that site,
though, it does not have any information on it, though it does have information
on moonpoint.com, though that information was last updated on 2010-08-11, so
that site's information does not appear to be as comprehensive nor as
up-to-date as the information provided through the WhoISRequest site.
You can also find past name server and registration information through
the who.is Search Domain DNS and Name Server
Information page. When you put a domain name in the search field,
and click on "Search DNS and Name Servers", you will see information
on the domain, such as name servers, SOA record, DNS records, including
the mail exchanger (MX) servers for the domain. If you click on the
History tab above that information, you will see past domain
name registrars and name servers associated with the domain.
If you wish to see prior IP addresses associated with a domain name,
you can use ViewDNSInfo IP
History. I noticed when I checked sailormoonworld.com with
its tool, though, that it is not showing a change made near the end of October
for that domain. The last change it shows was for 2014-07-05. The site also
has a lot of other tools, e.g.
Google Pagerank Checker, etc.
Sun, Dec 07, 2014 7:30 pm
Rotate the DNS server log file on a Windows server
For a site where a
Windows Small Business Server (SBS) 2003
system serves as a
wanted to rotate the DNS log file every night at midnight. The log file is
and I'd like to close the current log at
midnight renaming it to
where YYYY is the 4-digit
year, MM, the month (1-12) and DD the day (1-31). The system date can be put in
using substring extraction as explained at
Appending a date to a filename in
Renaming the log file requires stopping the DNS server service, which
can be done with the command
net stop "DNS Server". If
you try to move the file without stopping the service, you will receive
the message below:
D:\Logs\DNS>move dns.log dns_old.log
The process cannot access the file because it is being used by another process.
0 file(s) moved.
After the file is moved/renamed, the DNS server service can be restarted
net start "DNS Server".
The location of the DNS log file is stored in the Windows Registry. A
REG QUERY command can be used to obtain the current location for
the file as explained at
Determing the location of a Microsoft Windows DNS log file from a command prompt. After the location and name of the file is determined, the DNS server
service can be stopped, then the current log file can be renamed, and the
DNS server service can be restarted, creating a new log file with the name
and at the location indicated by the registry entry.
The batch file is shown below and is available
REM Name: rotatednslog.bat
REM Version: 1.0
REM Created: December 6, 2014
REM Last Modified: December 6, 2014
REM: Location of latest version:
REM Description: When scheduled to run at the end of each day, this batch
REM file will roate the DNS server log. The DNS server service will be
REM stopped temporarily, so the current DNS log can be renamed to a log file
REM with the name DNS_YYYYMMDD.log, where YYYY is the year, MM the month, and
REM DD the day. The DNS server service will then be restarted creating a
REM new DNS log file. The current location of the DNS log file is obtained
REM from the Windows Registry.
REM Required for substituting the contents of a variable in string subsitution
REM employed to insert the contents of the date variable YYYYMMDD in the log
REM file name.
REM Windows Registry key holding the location of the DNS log file
REM Registry value needed from the above key
REM Extract only the file location from the output of the reg query command
FOR /F "tokens=3" %%G IN ('reg query %regkey% /v LogFilePath ^| find %regvalue%') DO set logfile=%%G
REM Set the variable YYYYMMDD to today's date in YYYYMMDD format where
REM YYYY = 4-digit year, MM is month (1-12), and DD is day (1-31)
REM Set the name for the rotated log file to have "_YYYYMMDD.log" at the
REM end of the file name. Need to use delayed expansion.
REM Stop the DNS server service
NET STOP "DNS Server"
REM Move the log file to its new location with its new name.
REM Since you cannot specify a new drive or path for your destination file with
REM the RENAME command, I'm using the MOVE command, instead, in case I may
REM wish to update this batch script to move the file to another drive and/or
MOVE %logfile% %renamedlog%
REM Restart the DNS server service
NET START "DNS Server"
If it is run from a command prompt, you will see the following output:
The DNS Server service is stopping.
The DNS Server service was stopped successfully.
1 file(s) moved.
The DNS Server service is starting.
The DNS Server service was started successfully.
Since I would like the batch file to execute at the end of each day, I
scheduled it to run at 23:59 (11:59 PM) Monday through Sunday with the command
at 23:59 /every:m,t,w,th,f,s,su
"C:\program files\utility\scripts\rotatednslog.bat (specify the location
for the batch file).
C:\Program Files\Utility\Scripts>at 23:59 /every:m,t,w,th,f,s,su "C:\program files\utility\scripts\rotatednslog.bat"
Added a new job with job ID = 5
I could have used
00:00 to run the batch job at midnight, but
I set it to run 1 minute before midnight to be sure that the date inserted
in the name of the file is the one for the day that has just ended rather than
the date of the new day.
If you want to see the details of scheduled batch jobs, you can just
at without any parameters at the command line and hit
return. You will then see all the scheduled batch jobs. There may be gaps
in the ID numbers if some batch jobs have been deleted.
C:\Documents and Settings\Administrator>at
Status ID Day Time Command Line
1 Each M T W Th F S 7:30 PM d:\backups\daily.bat
2 Each Su 7:30 PM d:\backups\weekly.bat
5 Each M T W Th F S Su 11:59 PM "C:\program files\utility\scripts\rotatednslog.bat"
If you wish to delete a scheduled batch job you can use
at id /delete, where
id is the numeric
ID assigned to a batch job. E.g., the rotatednslog batch job above could
be deleted with
at 5 /delete.
Sat, Nov 22, 2014 12:25 pm
Determing the location of a Microsoft Windows DNS log file from a command prompt
If you need to determine the location of the log file for a Microsoft Windows
server functioning as a DNS server from the command line, you can do so through
C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v LogFilePath
LogFilePath REG_SZ d:\logs\dns\dns.log
You can reduce the output displayed to just the line containing the
log file location by piping the output of the
reg query command
C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v LogFilePath | find "LogFilePath"
LogFilePath REG_SZ d:\logs\dns\dns.log
If you wish to see just the log file location and not the other information
returned by the
reg query command, you can use
a FOR /F loop command such
as the following:
C:\>for /f "tokens=3" %g in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LogFilePath ^| find "LogFilePath"') do @echo %g
FOR /F loop breaks up a line of output from the command
that is being processed into items, called "tokens" that are separated by
space on the lines of output from the command. In this case, I'm only
interested in the third token on the line of output, which is the location
of the DNS log file. The output that is being processed is the result of
piping the output of the
reg query command into the
command. Since the pipe symbol, i.e., the vertical bar character
|, has a special meaning for the Windows operating system,
you need to place an
which for Windows is the caret symbol,
^, immediately before
it. You also need to put the at symbol,
@, before the echo
command to avoid seeing the echo command itself as output.
If you wish to use a batch file to execute the commands to find the log
file location, you need to replace the
as shown below.
FOR /F "tokens=3" %%G IN ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LogFilePath ^| find "LogFilePath"') DO echo %%G
The registry key and the value to be queried can also be placed in
variables that can be modified, if you wish to query other
registry keys, instead of the one for the DNS log file location, so that it
is easier to see what needs to be changed for such other queries.
REM Name: queryreg.bat
REM Version: 1.0
REM Created: November 22, 2014
REM Last Modified: November 22, 2014
REM Description: Displays just the value of a registry key from a
REM "reg query regkey /v regvalue" command omitting the additional
REM information that is output by the command
FOR /F "tokens=3" %%G IN ('reg query %regkey% /v LogFilePath ^| find %regvalue%') DO echo %%G
Fri, Nov 21, 2014 11:09 pm
Windows DNS Log Analyser
If you've turned on logging for the DNS service provided on Microsoft
Windows servers, a useful tool for analyzing the contents of the log file
is Windows DNS Log Analyser
, which is a small (about 1.44 MB), free
program that understands the Microsoft Windows DNS server log file format which
will present the information to you in a more easily analyzed format.
[ More Info ]
Thu, Nov 20, 2014 11:17 pm
Enabling DNS Logging on a Microsoft Windows SBS 2003 Sever
DNS logging can be useful when trying to monitor what systems an infected
system is trying to contact. The DNS log will show you what DNS queries
were sent by the system to the DNS server to look up IP addresses for
[ More Info ]
Shop Amazon Local - Subscribe to Deals in Your Neighborhood