|DNS Monitor V2||Back to Home Page|
DNS Monitor is a utility program that allows you to monitor and log DNS requests transiting your network. Version 2 is designed to work with WinpkFilter Version 3.2.3 from NT Kernel Resources. Why monitor DNS requests rather that GET requests? Any access to an outside resource requires the name of the domain to be translated into a number. It doesn't tell you the name of the actual resource, but simply the name of the server that it is stored on. For example, when "http://www.google.ca/index.html" is requested, the first step is to find out where the server is. This is accomplished by requesting "www.google.ca" to be translated into an IP address. It doesn't tell us what kind of service is being requested (http), or what resource is being requested (index.html), but the advantage of monitoring DNS requests rather than Web GET requests is that these requests are very small and cover services over and above just the World Wide Web. Additionally, most operating systems will cache these requests, so that all you see is the first request.
Because the latest version of WinpkFilter supports IPv6, Version 2 of DNS Monitor also supports IPv6, and offers a few more options than Version 1. The network card can be set to operate in Promiscuous Mode. In this mode, it will capture all DNS packets that the interface sees. If you are using a switch to connect to the Internet, this will not make a whole lot of difference. An all-in-one Modem/Router/Switch belongs in this catagory. But if you are using a hub instead, you can view and capture all DNS packets transiting your network.
DNS Monitor V2 also offers a Filter option. With this option turned on, the progrwm will only see the DNS packets that you select (IPv4 or IPv6). This is accomplished by using WinpkFilter more effectively to filter out all non-DNS packets at a lower level. However, you can use DNS Monitor without the filter, and it will examine all packets and present both IPv4 and IPv6 DNS packets. This mode is obviously more demanding on system resources.
The WinpkFilter driver (NDISRD.sys) loads on all current versions of Windows (including 64 bit). The helper library file (NDISApi.dll) does not need to be registered; it simply needs to be placed in the System32 directory (SysWow64 on 64 bit systems), or alternately in the application directory where it takes precedence over any existing file by the same name. This high performance packet filtering framework hooks the NDIS (Network Driver Interface Specification) driver in your Windows Operating System. Because NDIS is a layer 2 network driver, most of the Ethernet headers have already been stripped from the packets.
DNS Monitor is written in VB6, and is being made available in ZIP format. Installation is usually straight forward, using "setup.exe" to install files extracted from "DNSmon.cab" as laid out in "setup.lst". It can be installed anywhere the user has authority, but the default location is "\Program Files\DNSmon\" ("Program Files (x86)\DNSmon" on 64 bit systems). Because most users today have UAC enabled, the log files are stored in a sub directory of the user's directory (C:\Users\user_name\DNSmon\logs>). Executing the program for the first time will create the log directory and exit the program.
The only setup required is for the user to confirm which IP Adapter is being utilized. Once set up, you can activate the server by clicking on the "Start Server" button. Once you start the server, none of the option buttons are available. The state of the option controls is saved to the registry when the program is exited, so they will be in the same state the next time the program is started.
The captured data is logged to file. To examine a log file, you must stop the server first. Clicking on the "Read Log File" button produces a drop down list of files to choose from:
In the above image, we have already selected the file and then clicked the "Read Log File" button again to show you both the selection and the result of the selection.
To install DNS Monitor, you must first install WinpkFilter! There is no charge for personal use.
| Home Page