MoonPoint Support Logo


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals

Advanced Search
Sun Mon Tue Wed Thu Fri Sat
12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
JulAug Sep
Oct Nov Dec

Fri, Mar 23, 2018 11:05 pm

DNS - Standard Query Response Refused

While filtering on Domain Name System (DNS) queries in the Wireshark packet capture tool with a filter of udp.port==53 on a MacBook Pro laptop running OS X El Capitan (10.11.6), I saw a lot of "Stanard query response refused" replies in the "Info" field for responses from the DNS server. When I expanded the "flags" section of the DNS response for those replies from the DNS server, I saw "Reply code: Refused (5)" for some IP address lookups, though other DNS queries were being answered with an IP address.

[ More Info ]

[/network/dns] permanent link

Fri, Jun 09, 2017 11:01 pm

Obtaining public IP address from a command line interface

One way to determine the public IP address for a system, i.e., the IP address that systems on the Internet will see for the system when you connect to those external systems, from a command-line interface (CLI) on a Linux or Mac OS X/macOS system is to use the dig command dig +short E.g.:

$ dig +short

Alternatively, you can use an nslookup command as shown below:

$ nslookup

Non-authoritative answer:


The nslookup method will work on Microsoft Windows systems as well as OS X/macOS and Linux sysems.


Non-authoritative answer:


Both commands submit a Domain Name System (DNS) query to the DNS server, a name server maintained by OpenDNS. When you look up the fully qualified domain name (FQDN), the OpenDNS server will return the IP address of the system from which the DNS query originated, i.e., the system on which you ran the dig or nslookup command.

[/network/dns] permanent link

Tue, Jan 17, 2017 10:30 pm

While using Wireshark to troubleshoot a Domain Name System (DNS) issue for a server that sits behind a firewall that performs Network Address Translation (NAT), I noticed a DNS response coming back where Wireshark showed the following in the "Info" field for a packet:

Standard query response 0x21e1 No such name PTR SOA

The server for which I was performing the troubleshooting has an IP address of, which is a private IP address. There are 3 private IP address ranges; these ranges are also sometimes referred to as "RFC 1918 addresses", since the private IP address space is defined in RFC 1918 . A Request for Comments (RFC) is a document published by the Internet Engineering Task Force (IETF). Some RFCs, such as RFC 1918 become Internet Standards.

[ More Info ]

[/network/dns] permanent link

Thu, Feb 26, 2015 10:04 pm

Adding a new DNS zone to a Windows Server 2012 DNS server

A Windows Server 2012 Essentials system can function as a Domain Name System (DNS) server. If the system is functioning as a DNS server you can add additional zones that are integrated with Active Directory (AD) or you can add them as file-based zones as you would on a Unix/Linux DNS server. The Windows DNS server can be configured to support forward or reverse lookup zones. A primary, secondary, or stub zone can be added.

[ More Info ]

[/network/dns/windows] permanent link

Thu, Feb 19, 2015 11:01 pm

Enabling DNS Logging for Windows Server 2012

I wanted to log DNS queries and responses from all systems using a Windows Server 2012 DNS server, so that I would have DNS logs available for reference in the event of issues related to malware, etc. I also wanted to rotate the log files every night, so that the file size wouldn't grow continually until it reached the maximum 500 MB size I specified for the log file. Instructions for doing so for a Windows Server 2012 system are here. Instructions for doing so on a Microsoft Windows Small Business Server (SBS) are at Enabling DNS Logging on a Windows SBS 2003 Server.

[/network/dns/windows/logging] permanent link

Sat, Dec 20, 2014 1:58 pm

Viewing history of DNS server and IP Changes for a Domain

If you wish to view a history of Domain Name System (DNS) server changes for a domain name, you can do so through the WhoISrequest Domain History Checker, which tracks nameserver changes since 2002 for all COM, NET, ORG, INFO, BIZ and US domains.

E.g., if I put, which was registered in 1998, in the search field, I can see a list of all of the DNS servers that translated the fully qualified domain name (FQDN) to an IP address since WhoISrequest began tracking name server changes in 2002. The history information for that particular domain shows that registration for the domain name lapsed in 2013 and the domain name was picked up by a domain name squatter then. The domain name squatter let the domain registration lapse in the summer of 2014. I re-registered the domain name for the original owner, a family member, in October.

You can also view such information through the DNS History site, which notes "Here at DNS History we have been crawling DNS records since 2009, our index currently contains over 200 million domains and discovering over a billion DNS records."

If I put in the Doman Search field on that site, though, it does not have any information on it, though it does have information on, though that information was last updated on 2010-08-11, so that site's information does not appear to be as comprehensive nor as up-to-date as the information provided through the WhoISRequest site.

You can also find past name server and registration information through the Search Domain DNS and Name Server Information page. When you put a domain name in the search field, and click on "Search DNS and Name Servers", you will see information on the domain, such as name servers, SOA record, DNS records, including the mail exchanger (MX) servers for the domain. If you click on the History tab above that information, you will see past domain name registrars and name servers associated with the domain.

If you wish to see prior IP addresses associated with a domain name, you can use ViewDNSInfo IP History. I noticed when I checked with its tool, though, that it is not showing a change made near the end of October for that domain. The last change it shows was for 2014-07-05. The site also has a lot of other tools, e.g. Google Pagerank Checker, etc.

[/network/dns] permanent link

Sun, Dec 07, 2014 7:30 pm

Rotate the DNS server log file on a Windows server

For a site where a Windows Small Business Server (SBS) 2003 system serves as a DNS server, I wanted to rotate the DNS log file every night at midnight. The log file is named DNS.log and I'd like to close the current log at midnight renaming it to DNS_YYYYMMDD.log where YYYY is the 4-digit year, MM, the month (1-12) and DD the day (1-31). The system date can be put in the format YYYYMMDD using substring extraction as explained at Appending a date to a filename in batch files.

Renaming the log file requires stopping the DNS server service, which can be done with the command net stop "DNS Server". If you try to move the file without stopping the service, you will receive the message below:

D:\Logs\DNS>move dns.log dns_old.log
The process cannot access the file because it is being used by another process.
        0 file(s) moved.

After the file is moved/renamed, the DNS server service can be restarted with net start "DNS Server".

The location of the DNS log file is stored in the Windows Registry. A REG QUERY command can be used to obtain the current location for the file as explained at Determing the location of a Microsoft Windows DNS log file from a command prompt. After the location and name of the file is determined, the DNS server service can be stopped, then the current log file can be renamed, and the DNS server service can be restarted, creating a new log file with the name and at the location indicated by the registry entry.

The batch file is shown below and is available here.

@echo off

REM Name: rotatednslog.bat
REM Version: 1.0
REM Created: December 6, 2014
REM Last Modified: December 6, 2014
REM: Location of latest version: 
REM Description: When scheduled to run at the end of each day, this batch
REM file will roate the DNS server log. The DNS server service will be
REM stopped temporarily, so the current DNS log can be renamed to a log file
REM with the name DNS_YYYYMMDD.log, where YYYY is the year, MM the month, and
REM DD the day. The DNS server service will then be restarted creating a
REM new DNS log file. The current location of the DNS log file is obtained
REM from the Windows Registry.

REM Required for substituting the contents of a variable in string subsitution
REM employed to insert the contents of the date variable YYYYMMDD in the log
REM file name.


REM Windows Registry key holding the location of the DNS log file

SET regkey="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

REM Registry value needed from the above key

SET regvalue="LogFilePath"

REM Extract only the file location from the output of the reg query command

FOR /F "tokens=3" %%G IN ('reg query %regkey% /v LogFilePath ^| find %regvalue%') DO set logfile=%%G

REM Set the variable YYYYMMDD to today's date in YYYYMMDD format where
REM YYYY = 4-digit year, MM is month (1-12), and DD is day (1-31)

SET YYYYMMDD=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%

REM Set the name for the rotated log file to have "_YYYYMMDD.log" at the
REM end of the file name.  Need to use delayed expansion.

SET renamedlog=!logfile:.log=_%YYYYMMDD%.log!

REM Stop the DNS server service


REM Move the log file to its new location with its new name.
REM Since you cannot specify a new drive or path for your destination file with
REM the RENAME command, I'm using the MOVE command, instead, in case I may
REM wish to update this batch script to move the file to another drive and/or
REM directory.

MOVE %logfile% %renamedlog%

REM Restart the DNS server service


If it is run from a command prompt, you will see the following output:

C:\Program Files\Utility\Scripts>rotatednslog
The DNS Server service is stopping.
The DNS Server service was stopped successfully.

        1 file(s) moved.
The DNS Server service is starting.
The DNS Server service was started successfully.

Since I would like the batch file to execute at the end of each day, I scheduled it to run at 23:59 (11:59 PM) Monday through Sunday with the command at 23:59 /every:m,t,w,th,f,s,su "C:\program files\utility\scripts\rotatednslog.bat (specify the location for the batch file).

C:\Program Files\Utility\Scripts>at 23:59 /every:m,t,w,th,f,s,su "C:\program files\utility\scripts\rotatednslog.bat"
Added a new job with job ID = 5

I could have used 00:00 to run the batch job at midnight, but I set it to run 1 minute before midnight to be sure that the date inserted in the name of the file is the one for the day that has just ended rather than the date of the new day.

If you want to see the details of scheduled batch jobs, you can just enter at without any parameters at the command line and hit return. You will then see all the scheduled batch jobs. There may be gaps in the ID numbers if some batch jobs have been deleted.

C:\Documents and Settings\Administrator>at
Status ID   Day                     Time          Command Line
        1   Each M T W Th F S       7:30 PM       d:\backups\daily.bat
        2   Each Su                 7:30 PM       d:\backups\weekly.bat
        5   Each M T W Th F S Su    11:59 PM      "C:\program files\utility\scripts\rotatednslog.bat"

If you wish to delete a scheduled batch job you can use at id /delete, where id is the numeric ID assigned to a batch job. E.g., the rotatednslog batch job above could be deleted with at 5 /delete.

[/network/dns/windows] permanent link

Sat, Nov 22, 2014 12:25 pm

Determing the location of a Microsoft Windows DNS log file from a command prompt

If you need to determine the location of the log file for a Microsoft Windows server functioning as a DNS server from the command line, you can do so through a reg query command.
C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v LogFilePath

    LogFilePath    REG_SZ    d:\logs\dns\dns.log

You can reduce the output displayed to just the line containing the log file location by piping the output of the reg query command into the find command.

C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v LogFilePath | find "LogFilePath"
    LogFilePath    REG_SZ    d:\logs\dns\dns.log

If you wish to see just the log file location and not the other information returned by the reg query command, you can use a FOR /F loop command such as the following:

C:\>for /f "tokens=3" %g in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LogFilePath ^| find "LogFilePath"') do @echo %g 


The FOR /F loop breaks up a line of output from the command that is being processed into items, called "tokens" that are separated by space on the lines of output from the command. In this case, I'm only interested in the third token on the line of output, which is the location of the DNS log file. The output that is being processed is the result of piping the output of the reg query command into the find command. Since the pipe symbol, i.e., the vertical bar character |, has a special meaning for the Windows operating system, you need to place an "escape character", which for Windows is the caret symbol, ^, immediately before it. You also need to put the at symbol, @, before the echo command to avoid seeing the echo command itself as output.

If you wish to use a batch file to execute the commands to find the log file location, you need to replace the %g with %%g as shown below.

@echo off
FOR /F "tokens=3" %%G IN ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LogFilePath ^| find "LogFilePath"') DO echo %%G

The registry key and the value to be queried can also be placed in environment variables that can be modified, if you wish to query other registry keys, instead of the one for the DNS log file location, so that it is easier to see what needs to be changed for such other queries.

@echo off

REM Name: queryreg.bat
REM Version: 1.0
REM Created: November 22, 2014
REM Last Modified: November 22, 2014
REM Description: Displays just the value of a registry key from a
REM "reg query regkey /v regvalue" command omitting the additional
REM information that is output by the command

set regkey="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
set regvalue="LogFilePath"

FOR /F "tokens=3" %%G IN ('reg query %regkey% /v LogFilePath ^| find %regvalue%') DO echo %%G

Download: queryreg.bat

[/network/dns/windows/logging] permanent link

Fri, Nov 21, 2014 11:09 pm

Windows DNS Log Analyser

If you've turned on logging for the DNS service provided on Microsoft Windows servers, a useful tool for analyzing the contents of the log file is Windows DNS Log Analyser, which is a small (about 1.44 MB), free program that understands the Microsoft Windows DNS server log file format which will present the information to you in a more easily analyzed format.

[ More Info ]

[/network/dns/windows] permanent link

Thu, Nov 20, 2014 11:17 pm

Enabling DNS Logging on a Microsoft Windows SBS 2003 Sever

DNS logging can be useful when trying to monitor what systems an infected system is trying to contact. The DNS log will show you what DNS queries were sent by the system to the DNS server to look up IP addresses for host names.

[ More Info ]

[/network/dns/windows] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo