Skip to content

Windows DNS

DNS is a rich telemetry source that can help detect a wide array of attacks that would normally be very difficult to identify.

Data Types

  • DNS

Configuration - NXLog Enterprise Edition

CYDERES recommends using NXLog Enterprise Edition installed on the primary Windows DNS servers in your environment. Generally, these are the DNS servers that are assigned as primary and secondary resolvers in the network properties of every PC. The objective in capturing this data is to gather the client which requested a domain and what the domain was resolved to. If the DNS request is forwarded on, the original client information is replaced by the forwarding source, so it is important to capture DNS from each point which could get the initial client DNS request if possible.

NXLog Enterprise Edition contains a feature to read the ETW providers, one of which contains all of the analytical logging information from Windows DNS. NXLog will consume events from that provider and send the data as syslog. Example NXLog configuration:

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS <hostname>
define OUTPUT_DESTINATION_PORT <port>
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input etw_dns>
    Module      im_etw
    Provider    Microsoft-Windows-DNSServer
</Input>

<Output out_dns>
    Module      om_tcp
    Host        %OUTPUT_DESTINATION_ADDRESS%
    Port        %DNS_DESTINATION_PORT%
    Exec        $EventTime = integer($EventTime) / 1000000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000;
    Exec        to_syslog_ietf();
</Output>

<Route 1>
    Path etw_dns => out_dns
</Route>