I've setup a DNS Blackhole system running WS2008 Core R2. Everything is working according to plan. All traffic to the "evil" domains are being routed to the bit bucket. I want to take this one step further by setting up monitors so that whenever a system queries an evil domain, an email (or SCOM alert) gets generated with the source IP and the query. The only additional monitoring I have been able to find for DNS are the debugging settings and unfortunately I don't think that will work long term. What are my other options?
↧