Is there an (easy) way to log NT4 DNS requests?

[Nomen]

I've got an NT4 server system on my network that runs an SMTP server.  I have my router log in-bound and out-bound traffic to/from the machine and also restrict it's access to the internet beyond a few necessary ports.  So in the logs I'll see traffic on port 53 (DNS) and 25 (SMTP).  The machine's TCP settings have 3 DNS IP addresses, 2 of which are my ISP's DNS servers and the third is 4.2.2.2 (a generic server that I've used for years as a DNS backup and also for pings to test for IP connectivity).

I happened to be looking at the logs recently and noticed that the NT server does make port 53 DNS requests to the first DNS server IP entry when it's sending an out-bound email, but curiously, exactly every 8 hours to the second, it makes what I'm assuming is a port-53 DNS request to each of the 3 DNS servers.

Does NT have a DNS checking scheme, where it just checks for DNS server connectivity on a schedule?

I'm thinking of setting up a DNS server (simpledns) on a win-7 PC on the network and point the NT4's third DNS IP setting to the win-7 PC just to be able to capture this request and see what the machine is trying to lookup.  Unless there's a way I can do it on the machine itself.

 

[jaclaz]

Maybe it is related to DNS cache?

Usually - I believe - should be set at 1day intervals, but it is possible to change that through the Registry.

Settings should be under HKLM\CurrentControlSet\Services\Dnscache\Parameters

See this (possibly it applies to NT4 as well):

https://www.itprotoday.com/cloud-computing/how-can-i-configure-how-long-dns-cache-stores-positive-and-negative-responses

jaclaz

[NotHereToPlayGames]

2 hours ago, Nomen said:

exactly every 8 hours to the second

DHCP Lease ?

[jaclaz]

16 hours ago, NotHereToPlayGames said:

DHCP Lease ?

DHCP should use ports 67 and 68.

jaclaz

[Nomen]

A few days ago I installed "Simple DNS Plus" on a win-7 PC that is not always running.  I had changed the third DNS server setting on the Win-NT4 server PC (the subject of the thread) to the LAN IP address of this win-7 PC.  Trying to capture the DNS request being made every 8 hours.  I was lucky today - here's what the Simple DNS logs captured:

11:12:24   Listening for DNS requests via UDP/TCP at 127.0.0.1 port 53
11:12:24   Listening for DNS requests via UDP/TCP at 192.168.2.137 port 53
11:12:24   Listening for DNS requests via UDP/TCP at ::1 port 53
11:25:26   Request from 192.168.2.130 for A-record for 192.168.2.1
11:25:26   Sending reply to 192.168.2.130 about A-record for 192.168.2.1:
11:25:26   -> Answer: A-record for 192.168.2.1 = 192.168.2.1

Hmmm.  The NT server (at 2.130) is making a DNS request for the host 192.168.2.1.  

So, 192.168.2.1 is my LAN router.  It's also the gateway IP in I guess all TCP settings for all devices on the LAN, including this win-NT box.

Somewhat odd that something on the NT box is making a DNS request for an IPv4 IP, and the OS is actually going through the motions and making an external DNS request, not for a host-name but for an IPv4 address.  

Now I don't know, in the DNS world, whether or not making a DNS request for an IP address (especially a private / un-routable IP like 192.168.x.x) is kosher, but it seems that this request is failing for both the primary and secondary DNS servers and hence it's falling to the 3'rd server (which used to be 4.2.2.2 but is now the local PC running Simple DNS).   It doesn't seem legit to be doing this, presumably the OS is supposed to just return the IP address as the result and not make a fool of itself by going out to make a (bogus?) request?

As to what program or service on the NT4 box is making the request, I have a no idea what it could be.  I do have something called "About Time 4.8" (an NTP time checker/setter) running on the box, but it's also running on another NT4 box and both of them are using 192.168.2.1 for the NTP time server, and both are set to do an NTP time check every hour (not every 8 hours).

The Post.Office SMTP software is the only other service that's running (that I know of) that has a reason to do DNS queries, but I can't associate anything in it's logs with these queries for 192.168.2.1 every 8 hours.

Perhaps as a start I can put this into HOSTS file:

192.168.2.1  192.168.2.1

and see if this actually prevents the NT box from doing DNS lookups on that LAN IP.  But as to why it's doing that, any clues as to how I can figure that out?

Edited May 28, 2023 by Nomen