I'm trying to figure out the best way to log DNS queries and responses processed by Windows DNS servers. I've seen three main methods mentioned: debug logging, packet capture, and DNS analytic logging using Event Tracing for Windows (ETW). However, my AD team is hesitant to allow debug logging due to past issues with disk I/O performance, and they're also against installing packet capture drivers like npcap. The ETW option seems promising, but it looks like I'd need to manually parse the DNS messages. I'm interested in hearing from others about their experiences and any tips or challenges they've encountered. Thanks!
4 Answers
For capturing and forwarding logs effectively, consider using NXLog CE with its DNS module. It can format logs for syslog to send to your SIEM. While it does require debug logging, you might be able to convince your AD team by tweaking the debug options to minimize the I/O load. We have our domain controllers set up with D2as in Azure and utilize 'standard' SSDs, plus a temp drive. You could redirect logs to the temp space to lessen the load on the main system drive. Just ensure you forward the logs off the host to keep it tidy. Alternatively, you may restrict outgoing DNS traffic through the firewall to approved servers and log those events instead. It's not a perfect replacement, but it’s something!
For context, our EDR captures DNS queries across endpoints and servers, giving us multiple DNS event records in the SIEM for every query, which helps in monitoring.
One popular method is converting Microsoft ETL files to PCAP format using available tools. This allows using open-ecosystem solutions for analysis. In the past, we found it useful to pre-install PCAP drivers on Windows machines for seamless operation without needing a reboot. Another alternative is to set up a flow-exporter (supporting protocols like IPFIX, sFlow, or Cisco NetFlow) alongside a flow logger for collecting data. For quick analysis before decommissioning a DNS server, a mirror or span port can direct traffic to a box running tcpdump or Wireshark.
Have you considered what specific queries you're looking to log? If you're tracking queries from computers and servers, you could log DNS data directly on the endpoints. Many EDR solutions track DNS queries as well, and you can send those logs to your SIEM. Another option is logging through the firewall for outgoing queries if that's what you need. It's even more effective if your DNS traffic goes through the firewall beforehand, allowing you to log local queries too. Our Falcon instance is configured to log DNS requests from the DNS server, which works well.
We collect ETW logs into our Elastic Stack; while it generates a lot of noise and can take up significant storage, we haven't experienced major performance issues on the domain controllers so far. Just something to keep in mind if you're considering this route.
Are you using the PacketData field to extract and analyze DNS records for the answers?