Download a free tool to generate json decoded DNS logs from Microsoft DNS server.
Security intelligence tools help to provide visibility into an organization’s digital footprint, attack surface, and connectivity to the malicious digital footprint threatening your organization. By being able to visualize and understand this data, security personnel can make more informed decisions and mitigate financial and operational threats to their organization. Data from DNS queries and responses play a central role in this effort. Passive and real-time DNS intelligence is critical in detecting network intrusions and is instrumental in any forensic and incident response analysis. To make this effort easier to collect and parse DNS response data from Windows DNS server environments, we’ve released Securd Windows DNS Log Parser Community Edition to make DNS log analysis and threat hunting easier.
Event Tracing for Windows (ETW) is a kernel-level tracing capability to log kernel or application-defined events to a log file. It can consume the events in real-time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application. With the introduction of DNS Server Analytical logs in Server 2012 R2 and 2016, high query per second (QPS) DNS activity logging is available through ETW.
DNSLogCE hooks ETW (Event Tracing for Windows) to log fully decoded query responses to Microsoft’s DNS server to STDOUT in JSON format.
The inspiration for this effort was from Microsoft’s Threat Intelligence team and the performance they achieved with their inhouse DNS ETW solution. So we decided to make this base capability accessible to all with a free tool.
Go real-time with DNS visibility, defense and SIEM integration. Get started with free protective DNS.
License: This software is for is non-commercial use only. Full license details are can be downloaded here . If you would like to acquire a commercial or OEM license, please Contact Us for pricing.
Client Requirements: Microsoft DNS Server Role Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019 DotNET 4.6.1 or Newer Server 2012R2 or Newer (2012R2 Requires Hotfix KB2956577 – http://support.microsoft.com/kb/2956577)
Installation Notes: Microsoft DNS Server Role must be installed prior to installing MSI. MSI automatically installs “Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019” as a prerequisite.
Windows Server 2019 Prerequisites: Microsoft DNS Server Role
Windows Server 2016 Prerequisites: Microsoft DNS Server Role
Windows Server 2012r2 Prerequisites: Microsoft DNS Server Role KB2919355 Cumulative Update (Installed via Windows Update) KB2956577 DNS Logging and Diagnostics (http://support.microsoft.com/kb/2956577) DotNet Framework 4.6.1 or Newer (Installed via Windows Update) You must install hotfix KB2919355 (Cumulative Update) before installing hotfix KB2956577 (DNS Logging and Diagnostics).
You can confirm that hotfix KB2956577 was successfully installed by: Viewing installed updates in the Programs and Features control panel.
If the update is successfully installed, Hotfix for Microsoft Windows (KB2956577) will be displayed. You can also verify the installation of the hotfix by typing wmic qfe | find “KB2956577” at an elevated command prompt.
Checking the version of %systemroot%\System32\dns.exe. Version 6.3.9600.17231 (or later) has the required features.