Items 0

Enabling DNS Logging for Windows Server

 

To turn on DNS logging for a Microsoft Windows Server which is functioning as a DNS server, take the following steps:

  1. Hit Ctrl-Esc.
  2. Click on Administrative Tools.
  3. Select DNS.
  4. Right-click on the DNS server and select Properties.
  5. Click on the Debug Logging tab.
  6. Check the box next to Log packets for debugging. Ensure that at least IncomingUDPQueries/Transfers, and the packet type of Request are checked. You may also want to log TCP packets, outgoing packets, and response packets as well to see the IP addresses returned by the DNS server for queries on names. Specify the directory path and file name for the log file. You can also specify a maximum size, if you wish. The default value is 500,000,000 bytes, i.e., 500 MB. If you only want to log DNS queries/responses from/to a particular system that is querying the DNS server, check the check box next to Filter packets by IP addess and then specify the IP address or addresses of systems for which you wish to record data on DNS queries and/or responses.
  7. Click on OK.
  8. If you don't want to see any other entries in the log, e.g., for problems on the DNS server, you can click on the Event Logging tab and set the value for Log the following events to No events and click on OK.

If you wish to delete an existing log file that is in use and start a new one, right-click on the DNS server in the DNS Manager window, select All Tasks, then Stop. You can then move or delete the log file, right-click on the DNS server again, select All Tasks, then Start to restart logging.

When you check the log file, entries will appear such as the following:   

2/19/2015 10:03:57 PM 2AE8 PACKET  00000005CF374F80 UDP Rcv 192.168.0.42    fdd7   Q [0001   D   NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

2/19/2015 10:03:57 PM 2AE8 PACKET  00000005CB426930 UDP Snd 10.255.176.137  0c4c   Q [0001   D   NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

2/19/2015 10:03:57 PM 2AE8 PACKET  00000005D03B4CE0 UDP Rcv 10.255.176.137  0c4c R Q [8081   DR  NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

2/19/2015 10:03:57 PM 2AE8 PACKET  00000005D03B4CE0 UDP Snd 192.168.1.42    fdd7 R Q [8081   DR  NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

The entries above show the system with IP address 192.168.0.42 queried the DNS server for the address of imap-mail.outlook.com. The Windows Server 2012 DNS server did not know the IP address, so it in turn queried a DNS forwarder system at 10.255.176.137. It received a response from the DNS forwarder and returned the response to the system at 192.168.0.42. The numbers you see for (9)imap-mail(7)outlook(3)com(0) reflect the number of characters in various parts of the address. E.g., imap-mail is 9 characters, outlook is 7 characters, and com is 3 characters.

A valuable and free tool which can aid you in examining Microsoft Windows DNS log files is Windows DNS Log Analyser or you can use one of the DNS Centric tools (created by Networkstr.com) to convert the 'dns.log' file into CVS with Convert Microsoft DNS Debug File to CSV Table Format.  

Important Note: 

The Microsoft Windows DNS Debug log file has a limited size of 500 MB or 1GB maximum (depending on the Operating System version). Whenever this file is full and it reaches the maximum size, the Windows DNS server will stop writing new logs to the file, hence a manually intervention is required to continuo the logging process.

One of the DNS Centric tools "Auto Archive DNS Debug Logs" solves this problem by creating an automatic backups based on user specified parameters such as recurring intervals, time, and/or file size threshold, which will archive the existing log file and create a new empty log file automatically for the new DNS Debug log messages. 

 

DNS Related Tools and Articles:                  

DNS Centric Solution

Identify Threats with DNS Logging

DNS Domain Blacklisting and Sinkhole Overview

Configure Unix BIND DNS Server for Domain Blacklisting and Sinkhole

Configure Microsoft DNS Server for Domain Blacklisting and Sinkhole

Convert Microsoft DNS Debug File to CSV Table Format

Comments
Comment