News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
May 28, 2020 windowsdnsossecurity

DNS Log Collection on Windows

By Tamás Burtics

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

Be sure to read Part 1 and Part 3 of our DNS Log Collection series, in case you missed them.

DNS Log Collection on Windows

If you need to reduce the cost of DNS security and increase efficiency through centralizing DNS log collection, where would you start? Answering this question requires knowledge and awareness of the challenges and opportunities available on the Windows platform.

While Windows DNS server is a common technology serving many types of organizations, from local domains to large multi-site enterprises, the possibilities are not necessarily that well-known within the context of comprehensive, site-wide log collection. This article distills the main concepts essential to planning and deploying such an implementation into this article, which serves as the second part of the DNS log collection series.

To start, this article will touch on log sources that are generated by Windows DNS servers as well as the DNS requests of the clients they serve.

Windows DNS Log Sources

You may know that there are several ways of collecting DNS logs within the Windows environment:

  • Collecting DNS query logs via Sysmon

  • Collecting traces directly with Event Tracing for Windows (ETW) DNS providers

  • Collecting from the relevant Windows Event Log channels

  • File-based DNS debug logging

The deployment and resources to be used for DNS log collection will also depend on whether the logs will be collected from the DNS server (a critical asset) or from DNS clients. Each of these will be covered in further detail in this blog post.

Collecting DNS Query Logs from Sysmon

Sysmon includes a DNS Query logging feature to collect DNS query logs from clients. These events are generated when a process executes a DNS query, whether the result is successful or fails, cached or not.

Depending on how Sysmon is configured, you can also set additional rules in the configuration file for Sysmon in relation to Event ID 22: DNSEvent (DNS query). This is advisable due to the noisy nature of this type of event.

These types of additional rules can be:

  • Exclusion rules to avoid logging reverse DNS lookups

  • Exclusion rules about which domains to exclude. When excluding certain top level domains (to reduce the amount of logs collected), be as specific as possible with domains

  • Rules to exclude IPv6 lookups

  • Rules to omit domains typically used in sandboxes like localhost

  • Rules to omit queries involving popular third-party applications like Google, Mozilla, as well as CDNs

  • Rules to omit sites that involve social media widgets like Disqus

  • Rules to exclude ad serving sites and other ad-related services

These are only suggestions for rules and are by all means non-exhaustive. There are Sysmon configuration samples available online for use and adaptation.

Since DNS queries generate a large amount of logs, you may opt to forward Sysmon DNS events in their own output stream to a central log server instead of merging them with other DNS client event sources.

Sysmon DNS Query Event Sample in JSON Format
{
"EventTime":"2020-02-04T14:59:39.343541+00:00",
"Hostname":"EC2AMAZ-EPO7HKA",
"Keywords":"9223372036854775808",
"EventType":"INFO",
"SeverityValue":2,
"Severity":"INFO",
"EventID":22,
"SourceName":"Microsoft-Windows-Sysmon",
"ProviderGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Version":5,
"TaskValue":22,
"OpcodeValue":0,
"RecordNumber":9532,
"ExecutionProcessID":1996,
"ExecutionThreadID":2616,
"Channel":"Microsoft-Windows-Sysmon/Operational",
"Domain":"NT AUTHORITY",
"AccountName":"SYSTEM",
"UserID":"S-1-5-18",
"AccountType":"User",
"Message":"Dns query:\r\nRuleName: \r\nUtcTime: 2020-02-04 14:59:38.349\r\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\r\nProcessId: 1904\r\nQueryName: EC2AMAZ-EPO7HKA\r\nQueryStatus: 0\r\nQueryResults: 172.31.46.38;\r\nImage: C:\\Program Files\\nxlog\\nxlog.exe",
"Category":"Dns query (rule: DnsQuery)",
"Opcode":"Info",
"UtcTime":"2020-02-04 14:59:38.349",
"ProcessGuid":"{b3c285a4-3cda-5dc0-0000-001077270b00}",
"ProcessId":"1904","QueryName":"EC2AMAZ-EPO7HKA","QueryStatus":"0",
"QueryResults":"172.31.46.38;",
"Image":"C:\\Program Files\\nxlog\\nxlog.exe",
"EventReceivedTime":"2020-02-04T14:59:40.780905+00:00",
"SourceModuleName":"in",
"SourceModuleType":"im_msvistalog"
}

Collecting from DNS ETW Providers

The DNS ETW providers with their corresponding GUIDs are displayed in the following table.

Table 1. List of ETW Providers
ETW Provider Name GUID

DNS Server Trace Provider

57840C25-FA99-4F0D-928D-D81D1851E3DD

Microsoft-Windows-DNS-Client

1C95126E-7EEA-49A9-A3FE-A378B03DDB4D

Microsoft-Windows-DNS-Server-Service

71A551F5-C893-4849-886B-B5EC8502641E

Microsoft-Windows-DNSServer

EB79061A-A566-4698-9119-3ED2807060E7

Most of the time, ETW is not considered as a log source, either because it is not widely known or because special tools are needed to keep track of log traces (see Solving Windows Log Collection Challenges with Event Tracing). In addition, these tools can negatively affect DNS server performance, especially if they are set to continuously collect and write event traces to disk or convert to a format like JSON before being forwarded to a remote host.

Enhanced Windows DNS Event Log Logging

Enhanced DNS Server audit events are available via both the Windows Event Log channels, such as the Microsoft-Windows-DNSServer/Audit channel, as well as directly from the Windows Event Tracing (ETW) provider. These enable change tracking on Windows DNS Server, provided audit events are set to be logged in the Group Policy Editor. If enabled, an audit event is logged for each instance when changes are made to the DNS server such as:

Windows DNS Audit Events

  • Zone operations – zone deletions, updates, zone record creation and deletion, zone scope creation and deletion, online signing (zone signing/unsigning/resigning), pausing/reloading/resuming zones

  • DNSSEC operations – key rollover events, export/importing of DNSSEC metadata, addition of trust point

  • Cache operations – (cache purge events)

  • Policy operation events – creation/deletion/updating of records such as client subnet records, server level policies or zone level policies

  • Other server operations – restarting the server, clearing of debug logs, clearing of statistics, scavenging operations

These audit events represent important operations for any DNS server. They can provide very useful information for security and compliance reasons, as well as for incident response.

Ensure that auditing is enabled on Windows DNS Server via the Group Policy Management Editor. You can also configure auditing on the target object via the ADSIEDIT.MSC console by making the necessary changes for the auditing properties of that object.

Example console screen for changing the auditing settings on Group Policy

The following is an event sample from Microsoft Windows DNS Server for the audit event 513 (Type: Zone delete, Category: Zone operations) generated by the Microsoft-Windows-DNSServer channel.

Zone Deletion Event Sample in JSON Format
{
  "EventTime":"2020-02-17T13:41:17.260147+00:00",
  "Hostname":"Workstation A",
  "Keywords":"4611686018427912192",
  "EventType":"INFO",
  "SeverityValue":2,
  "Severity":"INFO",
  "EventID":513,
  "SourceName":"Microsoft-Windows-DNSServer",
  "ProviderGuid":"{EB79061A-A566-4698-9119-3ED2807060E7}",
  "Version":0,
  "TaskValue":5,
  "OpcodeValue":0,
  "RecordNumber":10,
  "ExecutionProcessID":1936,
  "ExecutionThreadID":2820,
  "Channel":"Microsoft-Windows-DNSServer/Audit",
  "Domain":"Example.corp.com",
  "AccountName":"Administrator",
  "UserID":"S-1-5-21-211798184-3831789826-2356777772-500",
  "AccountType":"User",
  "Message":"The zone example.com was deleted. [virtualization instance: .].",
  "Category":"ZONE_OP",
  "Opcode":"Info",
  "Zone":"test.corp.com",
  "VirtualizationID":".",
  "EventReceivedTime":"2020-02-17T13:41:23.978572+00:00",
  "SourceModuleName":"in",
  "SourceModuleType":"im_msvistalog"
}

Windows DNS Analytical Events

DNS analytical events differ from DNS auditing in that they are generated each time Windows DNS Server processes a request. They need to be enabled on the DNS server before logging can happen.

Types of DNS analytical events include:

  • Look up events – response success/failure, CNAME lookups, internal lookups

  • Recursive query events

  • Dynamic update events

  • Zone XFR events

The following sample shows Event ID 280 (Type: Internal lookup additional, Category: Lookup) that is generated by ETW Provider Microsoft-Windows-DNSServer.

Internal Lookup Event Sample in JSON Format
{
  "SourceName":"Microsoft-Windows-DNSServer",
  "ProviderGuid":"{EB79061A-A566-4698-9119-3ED2807060E7}",
  "EventId":280,
  "Version":0,
  "ChannelID":16,
  "OpcodeValue":0,
  "TaskValue":1,
  "Keywords":"9223372105574252544",
  "EventTime":"2020-02-15T22:30:16.466802+00:00",
  "ExecutionProcessID":2064,
  "ExecutionThreadID":2220,
  "EventType":"INFO",
  "SeverityValue":2,
  "Severity":"INFO",
  "Domain":"NT AUTHORITY",
  "AccountName":"SYSTEM",
  "UserID":"S-1-5-18",
  "AccountType":"User",
  "Flags":"33152",
  "TCP":"1",
  "InterfaceIP":"::1",
  "Source":"::1",
  "RD":"1",
  "QNAME":"a.root-servers.net.",
  "QTYPE":"28",
  "Port":"58368",
  "XID":"23042",
  "BufferSize":"17",
  "PacketData":"0x5A02818000010001000000010000060001",
  "EventReceivedTime":"2020-02-15T22:30:17.473631+00:00",
  "SourceModuleName":"etw",
  "SourceModuleType":"im_etw"
}

Active Directory and Native DNS Auditing

DNS is automatically installed with Active Directory as the Global Catalog server for the forest and domain. There are a number of features available in Windows DNS Server, such as Native DNS Auditing.

However, systems prior to 2012 R2, or 2012 R2 without hotfix 2956577, do not have native DNS auditing capabilities included. When this is enabled, DNS changes can be audited by enabling AD Directory Services auditing. For more information, see the AD DS Auditing Step-by-Step Guide on Microsoft Docs.

Collecting File-based Microsoft DNS Debug Log Files

The DNS debug file is important since it contains detailed information on DNS queries and activity that is sent and received by the DNS server.

The following debug log sample displays a simple DNS query test from Windows DNS Server:

02/12/2020 9:49:38 PM 0820 PACKET  000001D5B29C4610 UDP Snd 172.31.12.204
43f0 R Q [8084 A  R  NOERROR] PTR    (1)1(1)0(1)0(3)127(7)in-addr(4)arpa(0)

Due to the amount of logs being generated from DNS debug logging, it is recommended to rotate logs and have them collected on a central server. Also, parsing the logs is suggested, in order to select which logs to enrich. Although DNS debug logging has some advantages, it does come with some additional caveats worth considering:

  • Due to the way Microsoft handles log rollover of DNS debug logs, if the log file is located on any drive other than the C: drive, the Windows DNS service may not recreate the debug log file after a rollover. See The disappearing Windows DNS debug log for an in-depth analysis of this issue.

  • The log information gleaned from DNS debug logging is inherently unstructured. Parsing is required to create usable event logs. If the Details option has been selected, regular expressions are needed to parse the event fields. Such configurations are complex and can be associated with additional performance overhead. For busy DNS servers, this would not be a recommended option. For more information see File-based DNS Debug Logging.

Performance Considerations

Depending on which of these logging methods you use, there are a few variables that can affect performance:

  • The DNS server’s hardware specifications.

  • The QPS (queries per second) rate.

  • The place where log enrichment or parsing is done. It can be done either locally or on a central logging server after the logs are received.

  • The type of logging taking place. It is recommended to enable DNS debug logging only temporarily and when needed.

All these factors play a role in influencing log performance.

What can NXLog do?

NXLog simplifies DNS log collection by providing a single software solution that incorporates the various technologies required to efficiently collect DNS related logs. NXLog offers the following methods for the previously mentioned DNS logging technologies.

Sysmon Log Collection

Use the im_msvistalog module and add the relevant Query in the configuration file. Find out more at Collecting DNS logs via Sysmon in the NXLog User Guide.

ETW (Event Tracing for Windows) Collection

The im_etw module is specifically designed to collect logs from ETW providers without much performance overhead. It acts both as a Controller and a Consumer (see Using NXLog as a Single Agent Solution to Collect ETW Logs).

Native Windows Event Log Collection

For DNS events that can be collected from the Windows Event Log, including Sysmon, use the im_msvistalog module and specify a query for the name of the channel and channel type. You can also add additional filtering to the query. See Windows Event Log.

File-based Log Collection from the Windows DNS Debug File

The NXLog User Guide details the steps to set up DNS debug logging including Parsing non-detailed logs with xm_msdns.

Conclusion

With this article, you have learned about the opportunities and challenges for the following modes of Windows DNS log collection: Sysmon, Event Tracing for Windows (ETW), Windows Event Log and Windows DNS debug file logging. You have also learned about possible DNS performance considerations and the NXLog solutions available for DNS log collection. With this knowledge of the various solutions available, you can avoid the pitfalls of deploying less efficient solutions or ending up with a deployment that is either logging too many or not enough DNS events.

DNS, for many reasons, is an important asset that must not be overlooked. It is known that attackers are abusing DNS, and it is through efficient and reliable DNS log collection that you can reap the benefits of this essential component of security monitoring. Our white paper, The Importance of DNS Logging in Enterprise Security expands on this theme.

  • log collection
  • dns logs
  • windows dns logs
  • dns
  • windows
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Making the most of Windows Event Forwarding for centralized log collection
6 minutes | December 17, 2018
DNS Log Collection on Linux
8 minutes | May 14, 2020
Sending ETW Logs to Splunk with NXLog
5 minutes | March 3, 2020

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us