Free Windows DNS Log Parser

Download a free tool to generate json decoded DNS logs from Microsoft DNS server.

DNS Traffic Analysis is a Best Practice Cybersecurity Countermeasure

Security intelligence tools help to provide visibility into an organization’s digital footprint, attack surface, and connectivity to the malicious digital footprint threatening your organization. By being able to visualize and understand this data, security personnel can make more informed decisions and mitigate financial and operational threats to their organization. Data from DNS queries and responses play a central role in this effort. Passive and real-time DNS intelligence is critical in detecting network intrusions and is instrumental in any forensic and incident response analysis. To make this effort easier to collect and parse DNS response data from Windows DNS server environments, we’ve released Securd Windows DNS Log Parser Community Edition to make DNS log analysis and threat hunting easier.

DNS Log Parsing with Event Tracing for Windows (ETW)

Event Tracing for Windows (ETW) is a kernel-level tracing capability to log kernel or application-defined events to a log file. It can consume the events in real-time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application. With the introduction of DNS Server Analytical logs in Server 2012 R2 and 2016, high query per second (QPS) DNS activity logging is available through ETW.

Download Securd's Windows DNS Log Parser

DNSLogCE hooks ETW (Event Tracing for Windows) to log fully decoded query responses to Microsoft’s DNS server to STDOUT in JSON format.

The inspiration for this effort was from Microsoft’s Threat Intelligence team and the performance they achieved with their inhouse DNS ETW solution. So we decided to make this base capability accessible to all with a free tool.

  • A free solution to access and parse high-velocity ETW DNS data.
  • Automated decoding of DNS query and response data.
  • No PowerShell or scripting required.
  • Parse Windows DNS log data to JSON to Syslog or SIEM of choice.
  • Dedupes entries with a 5-minute cache.
  • Free recipe to input to Nxlog (stdout of DNSLogCE to Nxlog Stdin).

Go real-time with DNS visibility, defense and SIEM integration. Get started with free protective DNS.

Securd Windows DNS Log Parser Release Notes

License: This software is for is non-commercial use only. Full license details are can be downloaded here . If you would like to acquire a commercial or OEM license, please Contact Us for pricing.

Client Requirements: Microsoft DNS Server Role Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019 DotNET 4.6.1 or Newer Server 2012R2 or Newer (2012R2 Requires Hotfix KB2956577 –

Installation Notes: Microsoft DNS Server Role must be installed prior to installing MSI. MSI automatically installs “Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019” as a prerequisite.

Windows Server 2019 Prerequisites: Microsoft DNS Server Role

Windows Server 2016 Prerequisites: Microsoft DNS Server Role

Windows Server 2012r2 Prerequisites: Microsoft DNS Server Role KB2919355 Cumulative Update (Installed via Windows Update) KB2956577 DNS Logging and Diagnostics ( DotNet Framework 4.6.1 or Newer (Installed via Windows Update) You must install hotfix KB2919355 (Cumulative Update) before installing hotfix KB2956577 (DNS Logging and Diagnostics).

You can confirm that hotfix KB2956577 was successfully installed by: Viewing installed updates in the Programs and Features control panel.

If the update is successfully installed, Hotfix for Microsoft Windows (KB2956577) will be displayed. You can also verify the installation of the hotfix by typing wmic qfe | find “KB2956577” at an elevated command prompt.

Checking the version of %systemroot%\System32\dns.exe. Version 6.3.9600.17231 (or later) has the required features.