DNS Monitor is a utility program that allows you to monitor and log DNS requests transiting your network. This program has been around for some time and is by far the most popular download on my Web site. I have never posted the code because it utilized the Dart Service Control (which is not free), and I finally got around to converting it to using the Microsoft NTSvc.ocx control. At the same time, I implemented low level packet filtering within WinPKFilter, so that the program only sees port 53 UDP data. Examining all packets had its advantages, but it was very inefficient.
DNS Monitor hooks the NDIS driver in your windows operating system, and sets the NIC to operate in promiscuous mode. In this mode, you can see all DNS requests on your network if you are using a hub instead of a switch. The advantage of monitoring DNS requests rather than Web GET requests is that these requests are very small and cover services over and above just the World Wide Web. Additionally, most operating systems will cache these requests, so that all you see is the first request. This gives you a fairly concise picture of Internet usage. On my network, I can see traffic on the WiFi part as well because I am using a WiFi hotspot that connects into the same hub. My new Windows Tablet makes an insane number of DNS queries just powering up and loading a home page on Internet Explorer.
There are 2 components to DNS Monitor. The main program is interactive, and allows you to monitor and capture current DNS activity. The only setup required is for the user to confirm which IP Adapter is being utilized. The captured data is logged to daily files stored in the "%windir%\System32\LogFiles\DNS\" directory by date.
DNS Monitor also has an optional service component. This service operates in the background with no user interaction required, even when the user is logged off. It will not however persist through a type 3 Sleep mode. To install the service, simply click on the "Install" button. Once successfully installed, the "Start" button will become active and you can start the service, providing that the active server is "OFFLINE". You can also use the Service Manager (services.msc).
To install DNS Monitor, you must first install WinpkFilter!
http://www.ntkernel.com/downloads/winpkflt_rtl.zip
There is no charge for personal use.
NOTE: On 64 bit operating systems (Vista/Win7/Win8), driver signing is enforced, and must be circumvented! Currently the only way to do that is to use the F8 key on boot up and disable driver signing. The ability to use the Group Policy Editor or modify the BCD file to fullfill this task is no longer available on fully updated systems. Once disabled the driver can be loaded, but permanently signing the driver with a digital signature recognized by Microsoft is prohibitively expensive. What is still available is to run your system in Test Mode. Your driver must still be signed, but you can locally sign your own driver (ndisrd.sys). To make this easier, a small utility is made available from NGOHQ.
http://www.ngohq.com/home.php?page=dseo
This little utility does not have to be installed, but must be run in Administrative Mode. Win 8.1 however is a different kettle of fish. If your computer uses Unified Extensible Firmware Interface (UEFI), it probably uses Secure Boot and hides the TESTSIGNING setting. Secure Boot can be temporarily turned off, TESTSIGNING turned on, and Secure Boot turned back on. However, as of this posting I have not confirmed if TESTSIGNING is still active. I will post more as I uncover it.
J.A. Coutts
DNS Monitor hooks the NDIS driver in your windows operating system, and sets the NIC to operate in promiscuous mode. In this mode, you can see all DNS requests on your network if you are using a hub instead of a switch. The advantage of monitoring DNS requests rather than Web GET requests is that these requests are very small and cover services over and above just the World Wide Web. Additionally, most operating systems will cache these requests, so that all you see is the first request. This gives you a fairly concise picture of Internet usage. On my network, I can see traffic on the WiFi part as well because I am using a WiFi hotspot that connects into the same hub. My new Windows Tablet makes an insane number of DNS queries just powering up and loading a home page on Internet Explorer.
There are 2 components to DNS Monitor. The main program is interactive, and allows you to monitor and capture current DNS activity. The only setup required is for the user to confirm which IP Adapter is being utilized. The captured data is logged to daily files stored in the "%windir%\System32\LogFiles\DNS\" directory by date.
DNS Monitor also has an optional service component. This service operates in the background with no user interaction required, even when the user is logged off. It will not however persist through a type 3 Sleep mode. To install the service, simply click on the "Install" button. Once successfully installed, the "Start" button will become active and you can start the service, providing that the active server is "OFFLINE". You can also use the Service Manager (services.msc).
To install DNS Monitor, you must first install WinpkFilter!
http://www.ntkernel.com/downloads/winpkflt_rtl.zip
There is no charge for personal use.
NOTE: On 64 bit operating systems (Vista/Win7/Win8), driver signing is enforced, and must be circumvented! Currently the only way to do that is to use the F8 key on boot up and disable driver signing. The ability to use the Group Policy Editor or modify the BCD file to fullfill this task is no longer available on fully updated systems. Once disabled the driver can be loaded, but permanently signing the driver with a digital signature recognized by Microsoft is prohibitively expensive. What is still available is to run your system in Test Mode. Your driver must still be signed, but you can locally sign your own driver (ndisrd.sys). To make this easier, a small utility is made available from NGOHQ.
http://www.ngohq.com/home.php?page=dseo
This little utility does not have to be installed, but must be run in Administrative Mode. Win 8.1 however is a different kettle of fish. If your computer uses Unified Extensible Firmware Interface (UEFI), it probably uses Secure Boot and hides the TESTSIGNING setting. Secure Boot can be temporarily turned off, TESTSIGNING turned on, and Secure Boot turned back on. However, as of this posting I have not confirmed if TESTSIGNING is still active. I will post more as I uncover it.
J.A. Coutts