While filtering on Domain Name System (DNS) queries in the Wireshark packet capture tool with a filter of udp.port==53 on a MacBook Pro laptop running OS X El Capitan (10.11.6), I saw a lot of "Stanard query response refused" replies in the "Info" field for responses from the DNS server. When I expanded the "flags" section of the DNS response for those replies from the DNS server, I saw "Reply code: Refused (5)" for some IP address lookups, though other DNS queries were being answered with an IP address.

[ More Info ]

[/network/dns] permanent link

One way to determine the public IP address for a system, i.e., the IP address that systems on the Internet will see for the system when you connect to those external systems, from a command-line interface (CLI) on a Linux or Mac OS X/macOS system is to use the dig command dig +short myip.opendns.com @resolver1.opendns.com. E.g.:

$ dig +short myip.opendns.com @resolver1.opendns.com
137.103.94.167
$

Alternatively, you can use an nslookup command as shown below:

$ nslookup myip.opendns.com resolver1.opendns.com
Server:		resolver1.opendns.com
Address:	208.67.222.222#53

Non-authoritative answer:
Name:	myip.opendns.com
Address: 137.103.94.167

$

The nslookup method will work on Microsoft Windows systems as well as OS X/macOS and Linux sysems.

c:\Users\Public\>nslookup myip.opendns.com resolver1.opendns.com
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    myip.opendns.com
Address:  137.103.94.167


c:\Users\Public\>

Both commands submit a Domain Name System (DNS) query to the DNS server resolver1.opendns.com, a name server maintained by OpenDNS. When you look up the fully qualified domain name (FQDN) myip.opendns.com, the OpenDNS server will return the IP address of the system from which the DNS query originated, i.e., the system on which you ran the dig or nslookup command.

[/network/dns] permanent link

The server for which I was performing the troubleshooting has an IP address of 192.168.1.5, which is a private IP address. There are 3 private IP address ranges; these ranges are also sometimes referred to as "RFC 1918 addresses", since the private IP address space is defined in RFC 1918 . A Request for Comments (RFC) is a document published by the Internet Engineering Task Force (IETF). Some RFCs, such as RFC 1918 become Internet Standards.

[ More Info ]

[/network/dns] permanent link

[ More Info ]

[/network/dns/windows] permanent link

[/network/dns/windows/logging] permanent link

E.g., if I put sailormoonworld.com, which was registered in 1998, in the search field, I can see a list of all of the DNS servers that translated the fully qualified domain name (FQDN) to an IP address since WhoISrequest began tracking name server changes in 2002. The history information for that particular domain shows that registration for the domain name lapsed in 2013 and the domain name was picked up by a domain name squatter then. The domain name squatter let the domain registration lapse in the summer of 2014. I re-registered the domain name for the original owner, a family member, in October.

You can also view such information through the DNS History site, which notes "Here at DNS History we have been crawling DNS records since 2009, our index currently contains over 200 million domains and discovering over a billion DNS records."

If I put sailormoonworld.com in the Doman Search field on that site, though, it does not have any information on it, though it does have information on moonpoint.com, though that information was last updated on 2010-08-11, so that site's information does not appear to be as comprehensive nor as up-to-date as the information provided through the WhoISRequest site.

You can also find past name server and registration information through the who.is Search Domain DNS and Name Server Information page. When you put a domain name in the search field, and click on "Search DNS and Name Servers", you will see information on the domain, such as name servers, SOA record, DNS records, including the mail exchanger (MX) servers for the domain. If you click on the History tab above that information, you will see past domain name registrars and name servers associated with the domain.

If you wish to see prior IP addresses associated with a domain name, you can use ViewDNSInfo IP History. I noticed when I checked sailormoonworld.com with its tool, though, that it is not showing a change made near the end of October for that domain. The last change it shows was for 2014-07-05. The site also has a lot of other tools, e.g. Google Pagerank Checker, etc.

[/network/dns] permanent link

Renaming the log file requires stopping the DNS server service, which can be done with the command net stop "DNS Server". If you try to move the file without stopping the service, you will receive the message below:

D:\Logs\DNS>move dns.log dns_old.log
The process cannot access the file because it is being used by another process.
        0 file(s) moved.

After the file is moved/renamed, the DNS server service can be restarted with net start "DNS Server".

The location of the DNS log file is stored in the Windows Registry. A REG QUERY command can be used to obtain the current location for the file as explained at Determing the location of a Microsoft Windows DNS log file from a command prompt. After the location and name of the file is determined, the DNS server service can be stopped, then the current log file can be renamed, and the DNS server service can be restarted, creating a new log file with the name and at the location indicated by the registry entry.

The batch file is shown below and is available here.

@echo off

REM Name: rotatednslog.bat
REM Version: 1.0
REM Created: December 6, 2014
REM Last Modified: December 6, 2014
REM
REM: Location of latest version: 
REM: http://support.moonpoint.com/downloads/computer_languages/mswin_batch/rotatednslog.bat
REM
REM Description: When scheduled to run at the end of each day, this batch
REM file will roate the DNS server log. The DNS server service will be
REM stopped temporarily, so the current DNS log can be renamed to a log file
REM with the name DNS_YYYYMMDD.log, where YYYY is the year, MM the month, and
REM DD the day. The DNS server service will then be restarted creating a
REM new DNS log file. The current location of the DNS log file is obtained
REM from the Windows Registry.

REM Required for substituting the contents of a variable in string subsitution
REM employed to insert the contents of the date variable YYYYMMDD in the log
REM file name.

SETLOCAL ENABLEDELAYEDEXPANSION

REM Windows Registry key holding the location of the DNS log file

SET regkey="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"

REM Registry value needed from the above key

SET regvalue="LogFilePath"

REM Extract only the file location from the output of the reg query command

FOR /F "tokens=3" %%G IN ('reg query %regkey% /v LogFilePath ^| find %regvalue%') DO set logfile=%%G

REM Set the variable YYYYMMDD to today's date in YYYYMMDD format where
REM YYYY = 4-digit year, MM is month (1-12), and DD is day (1-31)

SET YYYYMMDD=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%

REM Set the name for the rotated log file to have "_YYYYMMDD.log" at the
REM end of the file name.  Need to use delayed expansion.

SET renamedlog=!logfile:.log=_%YYYYMMDD%.log!

REM Stop the DNS server service

NET STOP "DNS Server"

REM Move the log file to its new location with its new name.
REM Since you cannot specify a new drive or path for your destination file with
REM the RENAME command, I'm using the MOVE command, instead, in case I may
REM wish to update this batch script to move the file to another drive and/or
REM directory.

MOVE %logfile% %renamedlog%

REM Restart the DNS server service

NET START "DNS Server"

If it is run from a command prompt, you will see the following output:

C:\Program Files\Utility\Scripts>rotatednslog
The DNS Server service is stopping.
The DNS Server service was stopped successfully.

        1 file(s) moved.
The DNS Server service is starting.
The DNS Server service was started successfully.

Since I would like the batch file to execute at the end of each day, I scheduled it to run at 23:59 (11:59 PM) Monday through Sunday with the command at 23:59 /every:m,t,w,th,f,s,su "C:\program files\utility\scripts\rotatednslog.bat (specify the location for the batch file).

C:\Program Files\Utility\Scripts>at 23:59 /every:m,t,w,th,f,s,su "C:\program files\utility\scripts\rotatednslog.bat"
Added a new job with job ID = 5

I could have used 00:00 to run the batch job at midnight, but I set it to run 1 minute before midnight to be sure that the date inserted in the name of the file is the one for the day that has just ended rather than the date of the new day.

If you want to see the details of scheduled batch jobs, you can just enter at without any parameters at the command line and hit return. You will then see all the scheduled batch jobs. There may be gaps in the ID numbers if some batch jobs have been deleted.

C:\Documents and Settings\Administrator>at
Status ID   Day                     Time          Command Line
-------------------------------------------------------------------------------
        1   Each M T W Th F S       7:30 PM       d:\backups\daily.bat
        2   Each Su                 7:30 PM       d:\backups\weekly.bat
        5   Each M T W Th F S Su    11:59 PM      "C:\program files\utility\scripts\rotatednslog.bat"

If you wish to delete a scheduled batch job you can use at id /delete, where id is the numeric ID assigned to a batch job. E.g., the rotatednslog batch job above could be deleted with at 5 /delete.

[/network/dns/windows] permanent link

C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v LogFilePath

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
    LogFilePath    REG_SZ    d:\logs\dns\dns.log

You can reduce the output displayed to just the line containing the log file location by piping the output of the reg query command into the find command.

C:\>reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v LogFilePath | find "LogFilePath"
    LogFilePath    REG_SZ    d:\logs\dns\dns.log

If you wish to see just the log file location and not the other information returned by the reg query command, you can use a FOR /F loop command such as the following:

C:\>for /f "tokens=3" %g in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LogFilePath ^| find "LogFilePath"') do @echo %g 
d:\logs\dns\dns.log

C:\>

The FOR /F loop breaks up a line of output from the command that is being processed into items, called "tokens" that are separated by space on the lines of output from the command. In this case, I'm only interested in the third token on the line of output, which is the location of the DNS log file. The output that is being processed is the result of piping the output of the reg query command into the find command. Since the pipe symbol, i.e., the vertical bar character |, has a special meaning for the Windows operating system, you need to place an "escape character", which for Windows is the caret symbol, ^, immediately before it. You also need to put the at symbol, @, before the echo command to avoid seeing the echo command itself as output.

If you wish to use a batch file to execute the commands to find the log file location, you need to replace the %g with %%g as shown below.

@echo off
FOR /F "tokens=3" %%G IN ('reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v LogFilePath ^| find "LogFilePath"') DO echo %%G

The registry key and the value to be queried can also be placed in environment variables that can be modified, if you wish to query other registry keys, instead of the one for the DNS log file location, so that it is easier to see what needs to be changed for such other queries.

@echo off

REM Name: queryreg.bat
REM Version: 1.0
REM Created: November 22, 2014
REM Last Modified: November 22, 2014
REM
REM Description: Displays just the value of a registry key from a
REM "reg query regkey /v regvalue" command omitting the additional
REM information that is output by the command

set regkey="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
set regvalue="LogFilePath"

FOR /F "tokens=3" %%G IN ('reg query %regkey% /v LogFilePath ^| find %regvalue%') DO echo %%G

Download: queryreg.bat

[/network/dns/windows/logging] permanent link

[ More Info ]

[/network/dns/windows] permanent link

[ More Info ]

[/network/dns/windows] permanent link