We’re still trying to hunt-down some stubborn Conficker (a “difficult” word around here) viruses running around in a distant location. (According to local administrators, their virus scanners can’t be installed, are broken, or whatever – I think they just can’t be bothered.)

In order to nail down the contaminated machines, I first set up query-logging on those name servers by adding a bit to named.conf (I’d normaly use rndc querylog to toggle logging on, but I want the logs to go to a separate file.):

    logging {
        channel query_logging {
         file "/var/log/named/querylog"
         versions 3 size 100M;
         print-time yes;
          };
    
          category queries {
          query_logging;
          };
    };
    

This gives me log entries like the following:

client 192.168.100.6#1340: query: www.whatsmyipaddress.com IN A

And a subsequent bit of grep, AWK and sort gives me what we need: a unique list of IP addresses.

Gotcha! Now off to the routing guys to get those PCs disabled network-wise.

It ain’t a DNS problem. ;-)