Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
1
Replies

CNR DNS Request Logs

ttaglieri
Level 1
Level 1

‎01-02-2007 12:29 PM

Hi,

I'm using CNR 6.2.2 and I would like to track which windows workstation is trying to reach a url. There are some strange DNS Log entries (01/02/2007 15:20:44 name/dns/1 Info Protocol 0 02379 Lame server for 'hafeh.com' at [72.249.30.42] while resolving 'hafeh.com') and I would like to know which workstation they came from.

It looks a worm/virus of some sort. Thanks for any help you may offer.

Labels:
0 Helpful
1 Reply 1

David Stanford
Cisco Employee
Cisco Employee

‎01-05-2007 06:47 AM

It looks like some server is querying your DNS server recursively for

the zone that its not authorative for.

So either you can locate that machine and shut it down or put an access list on your

router to drop the traffic coming form that host to your dns.

You can setup the debug as follows to find out exactly where the request is coming from.

Go to nrcmd

Login with username and passwd. Then type the following for the debug.

nrcmd>dns setdebug DP=6

Please do this when your cpu is high and you see those lame server error messages in the

logs.

After capturing the log , unset the debug as follows:

nrcmd>dns unsetdebug

0 Helpful
Customers Also Viewed These Support Documents