Parsing DNS Log files

This script parses the DNS log file and does a reverse lookup to see the DNS hostname of the device that did a DNS query

The Scenario

As part of an 2003 AD migration, the  requirements were to replace the 2003 DCs in an existing subnet with new DCs in a new subnet. Problem is that lots of things these days do DNS lookups and , if your not using DHCP to deliver DNS server addresses to the Clients, you need to go and change every DNS server entry on every statically assigned device. But it is worse than that Jim! you may well have devices off your LAN, via a firewall, that you are allowing to use your DNS servers. How do you know who and what they are? (Now some smart person will say: “of course you have that documented”. Yeah .. right… is the answer, for those of us that have inherited someone else’s environment)

The Plan

Simple plan

  1. Stand up your new Domain Controllers (AD integrated DNS on them of course)
  2. Change your DHCP Scope options, wait until all the leases have been renewed to point to the new domain controllers
  3. On the old domain controllers, turn on DNS logging Select and enable debug logging options on the DNS server
  4. Gather the log file and parse them using the script below


The Script

#This is to assist with a DNS migration
#This Script takes DNS log files and tries to do a reverse lookup on the IP addresses
#So that you can try to see devices on your network (and outside your network) that are using
#Your DNS server as a source.
#Create directories c:\temp\DNS\FilesIn ,c:\temp\DNS\FilesOut and c:\temp\DNS\Summary first
#Put files to process in c:\temp\DNS\FilesIn
#I am declaring variables first.
#Powershell is really good at declaring variable types on the fly, but I like to make sure for += operations
$FinalFile = @()
$FilesIn = "c:\temp\DNS\FilesIn"
$FilesOut = "c:\temp\DNS\FilesOut\"
$SummaryOut = "c:\temp\DNS\Summary\Summary.txt"
$ListOfFiles = get-childitem -path $FilesIn
#Set the destination file name
foreach ($item in $ListOfFiles )
    $outfile = ( $FilesOut + $
    write-host "File read"
    #Load file as raw so we can use Select-string later to find the lines that match the pattern
    $SkippedFile =Get-Content $item.fullname -raw
    #Declare/reset the following variables
    $Results = @()
    $ResultHash = @{}
    #search through the file and return the lines that have an IP Address in them
    write-host "select lines that have an ip address in them"
    $Search = $SkippedFile | Select-String -Pattern "\b(?:(?:0?0?\d|0?[1-9]\d|1\d\d|2[0-5][0-5]|2[0-4]\d)\.){3}(?:0?0?\d|0?[1-9]\d|1\d\d|2[0-5][0-5]|2[0-4]\d)\b" -AllMatches
    #Now go through and resolve the IP address , if it has not already been resolved
    write-host "Resolve"
    ForEach ($Match in $Search.Matches)
        $IP = $Match.Groups.Value
        If (-not $ResultHash.ContainsKey($IP))
            $ResolveName = (Resolve-DnsName -name $IP  -QuickTimeout -ErrorAction SilentlyContinue -dnsonly).NameHost 
            Write-host $IP $ResolveName
    write-host "Finished processing $outfile "
    #We now have a hash table with IP and Namehost, but let's make a nicer looking object out of it
    $Results = $ResultHash.GetEnumerator() | Select @{Name="IP";Expression={$_.Name}},@{Name="Hostname";Expression={$_.Value}}
    #Lets put those results out to a results file in CSV format
    $Results |Export-Csv $outfile
#Summarise output files
#Lets get a list of all files in the outfile 
$ListofFilesOut = get-childitem -path $FilesOut
$SummaryResults = @()
foreach ($item in $ListOfFilesOut )
$SummaryResults += Import-Csv $item.fullname 

#Lets take that summary, get only the items that are unique and export the summary to a  CSV file
$SummaryResults |select * -unique |export-csv $SummaryOut  -NoTypeInformation
#Optional , lets take that summary, get only the items that are unique and show it in out-gridview
$SummaryResults |select * -unique | Out-GridView


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.