Windows DNS Log Parser (Community Edition)

A free tool for parsing fully decoded DNS logs from Microsoft DNS server

Security intelligence tools help to provide visibility into an organization’s digital footprint, attack surface, and connectivity to the malicious digital footprint threatening your organization. By being able to visualize and understand this data, security personnel can make more informed decisions and mitigate financial and operational threats to their organization. Data from DNS queries and responses play a central role in this effort.

Passive and real-time DNS intelligence is critical in detecting network intrusions and is instrumental in any forensic and incident response analysis. To make this effort easier to collect and parse DNS response data from Windows DNS server environments, we’ve released DigitalStakeout Windows DNS Log Parser Community Edition to make DNS log analysis and threat hunting easier. If you need real-time DNS-level defense and analytics, check out Securd DNS Firewall and Web Filtering service.

DNS Log Parsing with Event Tracing for Windows (ETW)

Event Tracing for Windows (ETW) is a kernel-level tracing capability to log kernel or application-defined events to a log file. It can consume the events in real-time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application. With the introduction of DNS Server Analytical logs in Server 2012 R2 and 2016, high query per second (QPS) DNS activity logging is available through ETW.

DigitalStakeout Windows DNS Log Parser (Community Edition)

DNSLogCE hooks ETW (Event Tracing for Windows) to log fully decoded query responses to Microsoft’s DNS server to STDOUT in JSON format.

DNSLogCE Output

The inspiration for this effort was from Microsoft’s Threat Intelligence team and the performance they achieved with their inhouse DNS ETW solution. So we decided to make this base capability accessible to all with a free tool.

  • A free solution to access and parse high-velocity ETW DNS data
  • Automated decoding of DNS query and response data
  • No PowerShell or scripting required
  • Parse Windows DNS log data to JSON to Syslog or SIEM of choice
  • Dedupes entries with a 5-minute cache
  • Free recipe to input to Nxlog (stdout of DNSLogCE to Nxlog Stdin)
  • A commercial version with real-time analytics is available with DigitalStakeout Scout

Download DigitalStakeout Windows DNS Log Parser Community Edition for Free


Download Here  (500+ Downloads)


License: This software is for is non-commercial use only. Full license details are can be downloaded here. If you would like to acquire a commercial or OEM license, please Contact Us for pricing.

Client Requirements:
Microsoft DNS Server Role Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019 DotNET 4.6.1 or Newer Server 2012R2 or Newer (2012R2 Requires Hotfix KB2956577 –

Installation Notes:
Microsoft DNS Server Role must be installed prior to installing MSI. MSI automatically installs “Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019” as a prerequisite.

Windows Server 2019 Prerequisites:
Microsoft DNS Server Role

Windows Server 2016 Prerequisites:
Microsoft DNS Server Role

Windows Server 2012r2 Prerequisites:
Microsoft DNS Server Role KB2919355 Cumulative Update (Installed via Windows Update) KB2956577 DNS Logging and Diagnostics ( DotNet Framework 4.6.1 or Newer (Installed via Windows Update) You must install hotfix KB2919355 (Cumulative Update) before installing hotfix KB2956577 (DNS Logging and Diagnostics).

You can confirm that hotfix KB2956577 was successfully installed by: Viewing installed updates in the Programs and Features control panel.

If the update is successfully installed, Hotfix for Microsoft Windows (KB2956577) will be displayed. You can also verify the installation of the hotfix by typing wmic qfe | find “KB2956577” at an elevated command prompt.

Checking the version of %systemroot%\System32\dns.exe. Version 6.3.9600.17231 (or later) has the required features.