DNS Queries

piotr007 · March 16, 2014, 3:35pm

Hi all.

I just want to now, which PC form my LAN is making specific queries to DNS.
Mikrotik CCR1036-12G-4S fv. 3.10

ip dns> print
servers: xxx.xxx.xxx.7,yyy.yyy.yyy.1,8.8.8.8,8.8.8.4
dynamic-servers:
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
cache-size: 8192KiB
cache-max-ttl: 1w
cache-used: 148KiB

/ip dns cache> print
(..)
98 upwpm.us 174.36.200.173 5m41s
99 upwpm.us 50.97.45.5 5m41s
(..)

These entries comes from an infected PC .
How to find it (it’s ip-address) in LAN ?

I’m trying sth with Packet Sniffer with filtered port 53 , but i’ve found it dificult.

TIA

DShmelev · March 22, 2014, 12:27am

Hi,
I think it will help you (sorry google ):

/ip firewall filter
add action=jump chain=input connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=input connection-state=new dst-address-list=ddosed src-address-list=ddoser
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=ddoser to-addresses=8.8.8.8 to-ports=53