Skip to content

Windows DNS

About

DNS is a system that is used in TCP/IP networks for naming computers and network services. DNS naming locates computers and services through user-friendly names. When a user enters a DNS name in an application, DNS services can resolve the name to other information that is associated with the name, such as an IP address. (Domain Name System (DNS) Overview)

Product Details

Vendor URL: Windows DNS

Product Type: DNS

Product Tier: Tier I

Integration Method: Syslog

Integration URL: Windows DNS - Cyderes Documentation

Log Guide: NXLog Reference Page

Parser Details

Log Format: Syslog, KV, and JSON

Expected Normalization Rate: Near 100%

Data Label: WINDOWS_DNS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Varies, based on EventId metadata.description
NETWORK_DNS, GENERIC_EVENT metadata.event_type
EventId metadata.product_event_type
Hard-coded Windows DNS metadata.product_name
Hard-coded DNS network.application_protocol
PacketData network.dns.additional
if flags = A or if AA = 1 network.dns.authoritative
xid or XID network.dns.id
OpcodeValue or depending on value of Opcode network.dns.opcode
domain1 or QNAME, and questionType or QTYPE network.dns.questions
if flags = R network.dns.recursion_available
if flags = D or RD = 1 network.dns.recursion_desired
if response = R network.dns.response
responseCode, RCODE network.dns.response_code
if flags = T network.dns.truncated
TCP network.ip_protocol
logsource principal.hostname
InterfaceIP, dns_ip principal.ip
Port principal.port
ExecutionThreadID principal.process.parent_process.pid
ExecutionProcessID principal.process.pid
AccountType principal.user.attribute.roles
Domain principal.user.group_identifiers
AccountName principal.user.userid
UserID principal.user.windows_sid
Severity security_result
Source src.ip
Destination target.ip

Product Event Types

Description metadata.event_type
If question is missing GENERIC_EVENT
Default NETWORK_DNS

DNS Debug Log Sample

12/10/2021 11:11:11 PM 0ABC PACKET  0000001A23B4C567 UDP Snd 10.10.10.10      a1b2 R Q [8085 A DR  NOERROR] SRV    (9)this(4)is(2)the(6)address(4)requested(5)com(0)

DNS Debug Sample Parsing

metadata.event_timestamp.seconds= 1639175993
metadata.event_timestamp.nanos= 252325783
metadata.event_type= NETWORK_DNS
metadata.product_name= "Windows DNS"
principal.ip= "10.10.10.10"
network.application_protocol= DNS
network.dns.id= 41394
network.dns.response= true
network.dns.authoritative= true
network.dns.recursion_desired= true
network.dns.recursion_available= true
network.dns.questions.name= "this.is.the.address.requested.com"
network.dns.questions.type= 33

DNS ETW Log Sample

<14>1 2021-12-10T16:37:29.272316-06:00 hostname01 Microsoft-Windows-DNSServer 3332 - [NXLOG@14506 ProviderGuid="{54149d10-5a0b-11ec-bf63-0242ac130002}" EventId="257" Version="0" ChannelID="10" OpcodeValue="0" TaskValue="1" Keywords="1234567890123456789" ExecutionThreadID="1234" EventType="INFO" Domain="NT AUTHORITY" AccountName="SYSTEM" UserID="S-1-2-34" AccountType="User" Flags="54321" TCP="0" InterfaceIP="10.10.10.10" Destination="10.10.0.0" AA="1" AD="0" QNAME="SUBDOMAIN.WEBSITE.COM." QTYPE="6" XID="12345" DNSSEC="0" RCODE="0" Port="55555" Scope="Default" Zone="WEBSITE.COM" PolicyName="NULL" BufferSize="123" PacketData="0xAB32110227D31F64902DC8BA41EAC9077A2CCC9D7327056C8424" AdditionalInfo="VirtualizationInstance:." ElapsedTime="0" GUID="{D1F05EBD-2A20-492E-BDE5-A62AD3DA08B4}" EventReceivedTime="1639175750" SourceModuleName="etw_dns" SourceModuleType="im_etw"] SourceName="Microsoft-Windows-DNSServer" ProviderGuid="{54149d10-5a0b-11ec-bf63-0242ac130002}" EventId="257" Version="0" ChannelID="16" OpcodeValue="0" TaskValue="1" Keywords="1234567890123456789" EventTime="2021-12-10 16:35:49" ExecutionProcessID="3332" ExecutionThreadID="1234" EventType="INFO" SeverityValue="2" Severity="INFO" Domain="NT AUTHORITY" AccountName="SYSTEM" UserID="S-1-2-34" AccountType="User" Flags="EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)" TCP="0" InterfaceIP="10.10.10.10" Destination="10.10.0.0" AA="1" AD="0" QNAME="SUBDOMAIN.WEBSITE.COM." QTYPE="6" XID="60811" DNSSEC="0" RCODE="0" Port="60586" Flags="54321" Scope="Default" Zone="WEBSITE.COM" PolicyName="NULL" BufferSize="123" PacketData="0xAB32110227D31F64902DC8BA41EAC9077A2CCC9D7327056C8424" AdditionalInfo="VirtualizationInstance:." ElapsedTime="0" GUID="{D1F05EBD-2A20-492E-BDE5-A62AD3DA08B4}"

DNS ETW Sample Parsing

metadata.event_timestamp.seconds= 1639176746
metadata.event_timestamp.nanos= 209251747
metadata.event_type= NETWORK_DNS
metadata.product_name= "Windows DNS"
metadata.product_event_type= "257"
metadata.description= "RESPONSE_SUCCESS= TCP=0; InterfaceIP=10.10.10.10; Destination=10.10.0.0; AA=1; AD=0; QNAME=SUBDOMAIN.WEBSITE.COM.; QTYPE=6; XID=12345; DNSSEC=0; RCODE=0; Port=55555; Flags=54321; Scope=Default; Zone=WEBSITE.COM; PolicyName=NULL; PacketData=0xAB32110227D31F64902DC8BA41EAC9077A2CCC9D7327056C8424"
principal.hostname= "hostname01"
principal.user.userid= "SYSTEM"
principal.user.attribute.roles.name= "User"
principal.user.group_identifiers= "NT AUTHORITY"
principal.user.windows_sid= "S-1-2-34"
principal.process.parent_process.pid= "1234"
principal.ip= "10.10.10.10"
principal.port= 55555
target.ip= "10.10.0.0"
network.ip_protocol= UDP
network.application_protocol= DNS
network.dns.id= 12345
network.dns.authoritative= true
network.dns.questions.name= "SUBDOMAIN.WEBSITE.COM"
network.dns.questions.type= 6
network.dns.additional.data= "0xAB32110227D31F64902DC8BA41EAC9077A2CCC9D7327056C8424"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon