We are removing multiple DNS servers. We have removed those servers from DNS reference from all dhcp scopes, and ran script across all windows servers to make sure they are not being used. There still might be Linux/telecom/workstations manually set that we do not know about, so I was going to use debug logging just to look for queries that are coming and to try and determine where they came from. I have debug logging set to log packets for Incoming, UDP, Queries/Transfers, and Request, but having trouble figuring out this log. Here is an example of what I am seeing. Does anyone have a reference for this? I am having trouble finding one.
Is this saying that a computernamed POS188 made a query for a host(A) record? or is it saying that a query came in from 128.1.60.221 for a host(A) record named POS188? Just looking for reference to help explain this. The good news is the only IP address that shows(128.1.60.221) is the IP of the DNS server, but the only thing I could find for reference was this -http://technet.microsoft.com/en-us/library/cc776361(WS.10).aspx
9/16/2014 12:05:23 AM 1144 PACKET 000000000624CBD0 UDP Rcv 128.1.60.221 8952 Q [0001 D NOERROR] A (8)POS188(11)contoso(3)com(0)
Thanks,
Dan Heim