Windows - View DNS Queries - IT Infra Engineer

When working towards decommissioning a single or multiple Domain Controllers/DNS servers it is important before the DNS role is removed that every device referencing the server for DNS queries is identified and updated with the new values. DNS is an integral part of healthy functioning systems and failure to do so could result in serious system failures and problems.

A simple example of this in the real world would be if you only had email alerting setup for hardware monitoring with the mail server value set with a fully qualified domain name. When the disks eventually start to fail one by one, notifications would not resolve to the mail server so would not get through to the correct personnel, eventually if this was not picked up the RAID would exhaust any spares/resiliency and the system would crash, you would then be looking at rebuilding the server/storage array then restoring from backups.

Setup DNS Logging

Within DNS Manager, right click the server and go to Properties then select Debug Logging

Change the values as per the image below which will focus logging on incoming UDP queries

Once applied, allow some time for DNS queries to appear, i.e. 1 to 24 hours to get a better picture of queries but ideally the longer the better to ensure any device using this server for DNS queries is caught in the logs.

Install Logparser 2.2

Download and install Logparser 2.2 - https://www.microsoft.com/en-gb/download/details.aspx?id=24659

View DNS Queries

Open up Command Prompt then change your directory to the recently installed Log Parser;

cd "C:\Program Files (x86)\Log Parser 2.2"

Once in the directory, run the following command which analyse your DNS log file and return the query count in

LogParser -i:TSV -nskiplines:30 -headerRow:off -iSeparator:space -nSep:1 -fixedSep:off -rtp:-1 "SELECT field8 AS IP, REVERSEDNS(IP) AS Name, count(IP) as QueryCount FROM "C:\Temp\dns_log.log" WHERE field10 = 'Q' GROUP BY IP ORDER BY QueryCount DESC"

The results returned will look similar to the following;

IP	Name	QueryCount
10.0.0.98	server98.domain.local	2851
10.0.1.3	server3.domain.local	2331
10.0.0.39	pc11.domain.local	165

You can now update the DNS settings on these devices then continuously monitor this log to gradually reduce the query count so that nothing is hitting it and from a DNS perspective at least you can proceed with the demotion/decomission.

Note: You may get occasional SOA lookups which you do not need to worry about if you are working towards when decommissioning the server. Also be aware of devices that very rarely perform DNS lookups such as network, printer or out of band management devices.