We’re still trying to hunt-down some stubborn Conficker (a “difficult” word around here) viruses running around in a distant location. (According to local administrators, their virus scanners can’t be installed, are broken, or whatever – I think they just can’t be bothered.)
In order to nail down the contaminated machines, I first set up query-logging
on those name servers by adding a bit to named.conf
(I’d normaly use rndc
querylog
to toggle logging on, but I want the logs to go to a separate
file.):
logging {
channel query_logging {
file "/var/log/named/querylog"
versions 3 size 100M;
print-time yes;
};
category queries {
query_logging;
};
};
This gives me log entries like the following:
client 192.168.100.6#1340: query: www.whatsmyipaddress.com IN A
And a subsequent bit of grep, AWK and sort gives me what we need: a unique list of IP addresses.
Gotcha! Now off to the routing guys to get those PCs disabled network-wise.
It ain’t a DNS problem. ;-)