https://community.splunk.com/t5/Splunk-Search/DNS-Query-doesnt-look-right/m-p/136561#M184753 <P>The Rcv from external IPs are showing incoming packets from external DNS servers. The DNS server you're monitoring is performing recursive queries, so it has to get the answer for external domains from an external DNS server. Your log is showing you all incoming and outgoing DNS packets.,The Rcv lines from external addresses are showing you responses from external DNS servers. Since the DNS server you're monitoring is a recursive resolver, it will ask other DNS servers on the Internet for answers. The log is just showing you all the incoming and outgoing packets related to the query.</P> Fri, 03 Oct 2014 14:52:47 GMT kogane 2014-10-03T14:52:47Z https://community.splunk.com/t5/Splunk-Search/DNS-Query-doesnt-look-right/m-p/136560#M184752 <P>Hi All, </P> <P>Not sure im in the right place for this, but i'm hoping someone understands.</P> <P>I've configured splunk to show me DNS queries to bad domains, which is great. But it raises more questions than answers.</P> <P>As I understand Rcv lines are the IP where the request came from and Snd are what the DNS server gave as an answer. My logic is that I should only have Rcv lines from internal addresses ? </P> <P>Why might I see Rcv from external addresses please ? </P> <P>1 » 09/11/2013 10:00:45.000 20131109 10:00:45 1570 PACKET UDP Snd 10.40.0.44 2f71 R Q [0084 A NOERROR] .otnnetwork.net.host=builbdc1 Options| sourcetype=dns_queries Options| source=c:\windows\system32\dns\dns.log Options </P> <P>2 » 09/11/2013 10:00:45.000 20131109 10:00:45 1570 PACKET UDP Rcv 205.251.195.116 21e9 R Q [0084 A NOERROR] .otnnetwork.net.host=builbdc1 Options| sourcetype=dns_queries Options| source=c:\windows\system32\dns\dns.log Options </P> <P>3 » 09/11/2013 10:00:45.000 20131109 10:00:45 153C PACKET UDP Snd 205.251.195.116 21e9 Q [0000 NOERROR] .otnnetwork.net.host=builbdc1 Options| sourcetype=dns_queries Options| source=c:\windows\system32\dns\dns.log Options </P> <P>4 » 09/11/2013 10:00:45.000 20131109 10:00:45 153C PACKET UDP Rcv 192.12.94.30 21e9 R Q [0080 NOERROR] .otnnetwork.net.host=builbdc1 Options| sourcetype=dns_queries Options| source=c:\windows\system32\dns\dns.log Options </P> <P>5 » 09/11/2013 10:00:45.000 20131109 10:00:45 153C PACKET UDP Snd 192.12.94.30 21e9 Q [0000 NOERROR] .otnnetwork.net.host=builbdc1 Options| sourcetype=dns_queries Options| source=c:\windows\system32\dns\dns.log Options </P> <P>6 » 09/11/2013 10:00:45.000 20131109 10:00:45 153C PACKET UDP Rcv 10.40.0.44 2f71 Q [0001 D NOERROR] .otnnetwork.net.host=builbdc1 Options| sourcetype=dns_queries Options| source=c:\windows\system32\dns\dns.log Options </P> <P>Thanks<BR /> Derek</P> Mon, 11 Nov 2013 13:51:38 GMT https://community.splunk.com/t5/Splunk-Search/DNS-Query-doesnt-look-right/m-p/136560#M184752 DerekKing 2013-11-11T13:51:38Z https://community.splunk.com/t5/Splunk-Search/DNS-Query-doesnt-look-right/m-p/136561#M184753 <P>The Rcv from external IPs are showing incoming packets from external DNS servers. The DNS server you're monitoring is performing recursive queries, so it has to get the answer for external domains from an external DNS server. Your log is showing you all incoming and outgoing DNS packets.,The Rcv lines from external addresses are showing you responses from external DNS servers. Since the DNS server you're monitoring is a recursive resolver, it will ask other DNS servers on the Internet for answers. The log is just showing you all the incoming and outgoing packets related to the query.</P> Fri, 03 Oct 2014 14:52:47 GMT https://community.splunk.com/t5/Splunk-Search/DNS-Query-doesnt-look-right/m-p/136561#M184753 kogane 2014-10-03T14:52:47Z