How to enable DNS logging to monitor requests
This comes from the ‘Learn something new every day’ file. Working with a client to decommission an old DNS server, this important question came up:
How do we know if all the existing servers are configured for the new DNS servers?
Peter Abernathy
The first way I thought of was to use powershell to query all of the servers and grab their DNS configurations and report back and verify that all servers are configured correctly. We might miss machines or workstations that we didn’t know about though.
Then we thought of putting Wireshark and watching for any port 53 requests to the old DNS server and then finally we realized we could just use the built-in DNS logging to determine if anyone is using the old server. This seemed like the best route to take.
We followed these instructions but it was basically just enabling Debug Logging on the old DNS server. We used the following settings to just capture the requests which we could use to see the IPs of the machines requesting DNS.
In the debug log, you will see a list of servers accessing the old DNS server that you can then use to determine which servers are still configured to use old DNS server entries. You just let it run in this debug mode for a few hours. Once the log is clear, you are free to decommission the DNS server.
When we are ready to turn off debugging, you can do it via the GUI and additionally remove it from the registry under the following location.
The location used is stored in the LogFilePath value in the following path:
HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
I learned a couple of new tricks in the process and we successfully decommissioned the server after we fixed a few stragglers.
Happy DNSing!
– Carlo