Enabling DNS Logging for Windows Server 2012

Domain Name System (DNS) logging will provide a record of other systems a particular system is attempting to contact, which may be important information in determing what is happening if a system becomes infected with malware. If DNS logging is enabled, you can see what systems are being contacted, provided the infected system looks up an IP address from a name rather than using a hardcoded IP address, and also when a system was trying to contact other systems.

To turn on DNS logging for a Microsoft Windows Server 2012 system which is functioning as a DNS server, take the following steps:

  1. Hit Ctrl-Esc.
  2. Click on Administrative Tools.
  3. Select DNS.
  4. Right-click on the DNS server and select Properties.
  5. Click on the Debug Logging tab.

    DNS event logging - Server 2012

  6. Check the box next to Log packets for debugging. Ensure that at least Incoming, UDP, Queries/Transfers, and the packet type of Request are checked. You may also want to log TCP packets, outgoing packets, and response packets as well to see the IP addresses returned by the DNS server for queries on names. Specify the directory path and file name for the log file. You can also specify a maximum size, if you wish. The default value is 500,000,000 bytes, i.e., 500 MB. If you only want to log DNS queries/responses from/to a particular system that is querying the DNS server, check the check box next to "Filter packets by IP addess" and then specify the IP address or addresses of systems for which you wish to record data on DNS queries and/or responses.
  7. Click on OK.
  8. If you don't want to see any other entries in the log, e.g., for problems on the DNS server, you can click on the Event Logging tab and set the value for "Log the following events" to "No events" and click on OK.

If you wish to delete an existing log file that is in use and start a new one, right-click on the DNS server in the DNS Manager window, select All Tasks, then Stop. You can then move or delete the log file, right-click on the DNS server again, select All Tasks, then Start to restart logging.

When you check the log file, entries will appear such as the following:

2/19/2015 10:03:57 PM 2AE8 PACKET  00000005CF374F80 UDP Rcv 192.168.0.42    fdd7   Q [0001   D   NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

2/19/2015 10:03:57 PM 2AE8 PACKET  00000005CB426930 UDP Snd 10.255.176.137  0c4c   Q [0001   D   NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

2/19/2015 10:03:57 PM 2AE8 PACKET  00000005D03B4CE0 UDP Rcv 10.255.176.137  0c4c R Q [8081   DR  NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

2/19/2015 10:03:57 PM 2AE8 PACKET  00000005D03B4CE0 UDP Snd 192.168.1.42    fdd7 R Q [8081   DR  NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

The entries above show the system with IP address 192.168.0.42 queried the DNS server for the address of imap-mail.outlook.com. The Windows Server 2012 DNS server did not know the IP address, so it in turn queried a DNS forwarder system at 10.255.176.137. It received a response from the DNS forwarder and returned the response to the system at 192.168.0.42. The numbers you see for (9)imap-mail(7)outlook(3)com(0) reflect the number of characters in various parts of the address. E.g., imap-mail is 9 characters, outlook is 7 characters, and com is 3 characters.

A valuable and free tool which can aid you in examining Microsoft Windows DNS log files is Windows DNS Log Analyser.

If you wish to rotate the log file daily, you can use the instructions at Rotate the DNS server log file on a Windows server, though, since the at command is deprecated, you will need to use the schtasks command, instead of the at command. A command similar to the one shown below can be used to run the batch file at one minute after midnight every night:

C:\>schtasks /create /tn "Rotate DNS Log" /tr "C:\Program Files\Utilities\rotatednslog" /sc daily /st 00:01
SUCCESS: The scheduled task "Rotate DNS Log" has successfully been created.

I can check on the status of the avove scheduled task as shown below:

C:\>schtasks /query /tn "Rotate DNS Log"

Folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Rotate DNS Log                           2/20/2015 12:01:00 AM  Ready

In the above example, the task was submitted on February 19, 2015.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Thursday, February 19, 2015