Domain name servers may contain several type of security vulnerabilities that allow a malicious user to redirect website visitors to a third party website. The attack can be cache poisoning or ARP spoof and this in case that the DNS server is not patched or hardened.
Passivedns is an open source tool that you can use to investigate an incident related to DNS attack. The tool allows security analyst to collect DNS traffic passively to read them in form of pcap file or log files. This helps to identify the answer of the DNS and find out where the redirection or the issue with the server.
Passivedns can be used as a standard DNS packet sniffer to monitor network traffic and search history to provide a list of what the URL is resolving so it will display the first time URL seen with query and the IP answered by the DNS.
Logs are going to be stored in passivedns.log. This will be useful for the security analyst and can be used for creating report related to the incident. You can download the tool on the following link: https://github.com/gamelinux/passivedns