DNS is a rich telemetry source that can help detect a wide array of attacks that would normally be very difficult to identify.
Configuration - NXLog Enterprise Edition¶
CYDERES recommends using NXLog Enterprise Edition installed on the primary Windows DNS servers in your environment. Generally, these are the DNS servers that are assigned as primary and secondary resolvers in the network properties of every PC. The objective in capturing this data is to gather the client which requested a domain and what the domain was resolved to. If the DNS request is forwarded on, the original client information is replaced by the forwarding source, so it is important to capture DNS from each point which could get the initial client DNS request if possible.
NXLog Enterprise Edition contains a feature to read the ETW providers, one of which contains all of the analytical logging information from Windows DNS. NXLog will consume events from that provider and send the data as syslog. Example NXLog configuration:
define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS <hostname> define OUTPUT_DESTINATION_PORT <port> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input etw_dns> Module im_etw Provider Microsoft-Windows-DNSServer </Input> <Output out_dns> Module om_tcp Host %OUTPUT_DESTINATION_ADDRESS% Port %DNS_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; Exec to_syslog_ietf(); </Output> <Route 1> Path etw_dns => out_dns </Route>