Security intelligence tools help to provide visibility into an organization’s digital footprint, attack surface, and connectivity to the malicious digital footprint threating its organization. By being able to visualize and understand this data, security personnel can make more informed decisions and mitigate financial and operational threats to their organization. Data from DNS queries and responses play a central role in this effort. Passive and real-time DNS intelligence is critical in detecting network intrusions and is instrumental in any forensic and incident response analysis. To make this effort easier to collect and parse DNS response data from Windows DNS server environments, we’ve released DigitalStakeout Windows DNS Log Parser Community Edition.
DNS Log Parsing with Event Tracing for Windows (ETW)
Event Tracing for Windows (ETW) is a kernel-level tracing capability to log kernel or application-defined events to a log file. It can consume the events in real-time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application. With the introduction of DNS Server Analytical logs in Server 2012 R2 and 2016, high query per second (QPS) DNS activity logging is available through ETW.
DigitalStakeout Windows DNS Log Parser (Community Edition)
The inspiration for this effort was from Microsoft’s Threat Intelligence team and the performance they achieved with their inhouse DNS ETW solution. So we decided to make this base capability accessible to all for free.
- A free solution to access and parse high-velocity ETW DNS data
- Automated decoding of DNS query and response data
- No PowerShell or scripting required
- Parse Windows DNS log data to JSON to Syslog or SIEM of choice
- Dedupes entries with a 5-minute cache
- Free recipe to input to Nxlog (stdout of DNSLogCE to Nxlog Stdin)
Download DigitalStakeout Windows DNS Log Parser Community Edition for Free
File Size: 20M
Microsoft DNS Server Role Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019 DotNET 4.6.1 or Newer Server 2012R2 or Newer (2012R2 Requires Hotfix KB2956577 – http://support.microsoft.com/kb/2956577)
Microsoft DNS Server Role must be installed prior to installing MSI. MSI automatically installs “Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019” as a prerequisite.
Windows Server 2019 Prerequisites:
Microsoft DNS Server Role
Windows Server 2016 Prerequisites:
Microsoft DNS Server Role
Windows Server 2012r2 Prerequisites:
Microsoft DNS Server Role KB2919355 Cumulative Update (Installed via Windows Update) KB2956577 DNS Logging and Diagnostics (http://support.microsoft.com/kb/2956577) DotNet Framework 4.6.1 or Newer (Installed via Windows Update) You must install hotfix KB2919355 (Cumulative Update) before installing hotfix KB2956577 (DNS Logging and Diagnostics).
You can confirm that hotfix KB2956577 was successfully installed by: Viewing installed updates in the Programs and Features control panel.
If the update is successfully installed, Hotfix for Microsoft Windows (KB2956577) will be displayed. You can also verify the installation of the hotfix by typing wmic qfe | find “KB2956577” at an elevated command prompt.
Checking the version of %systemroot%\System32\dns.exe. Version 6.3.9600.17231 (or later) has the required features.