{"id":496,"date":"2020-07-24T15:07:19","date_gmt":"2020-07-24T15:07:19","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=496"},"modified":"2024-04-01T13:51:10","modified_gmt":"2024-04-01T05:51:10","slug":"windows-dns-logging","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/24\/windows-dns-logging\/","title":{"rendered":"Windows DNS logging"},"content":{"rendered":"<h2 class=\"wp-block-heading\" id=\"1-preface%C2%A0\">Preface<\/h2>\n\n\n\n<p>Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction for continuous security monitoring. However, sometimes we do not have an option, especially when Windows DNS debug\/analytics log is the only available data source during IR investigation. In the first part of this post, we will discuss the Windows DNS debug and analytics log. Then, we will discuss other options of DNS logging for continuous monitoring. Lastly, we will also discuss some new DNS protocol such as DoH(DNS over https).<\/p>\n\n\n<style>.kadence-column496_b5540c-9b > .kt-inside-inner-col{display:flex;}.kadence-column496_b5540c-9b > .kt-inside-inner-col,.kadence-column496_b5540c-9b > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column496_b5540c-9b > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column496_b5540c-9b > .kt-inside-inner-col{flex-direction:column;align-items:center;}.kadence-column496_b5540c-9b > .kt-inside-inner-col > .kb-image-is-ratio-size{align-self:stretch;}.kadence-column496_b5540c-9b > .kt-inside-inner-col > .wp-block-kadence-advancedgallery{align-self:stretch;}.kadence-column496_b5540c-9b > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column496_b5540c-9b > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column496_b5540c-9b{position:relative;}@media all and (max-width: 1024px){.kadence-column496_b5540c-9b > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}@media all and (max-width: 767px){.kadence-column496_b5540c-9b > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column496_b5540c-9b\"><div class=\"kt-inside-inner-col\"><style>.kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:0px;background-color:rgba(255,255,255,0.99);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;box-shadow:0px 0px 14px 0px #abb8c3;}.kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-table-of-contents-title{font-size:var(--global-kb-font-size-lg, 2rem);font-weight:bold;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-table-of-content-wrap .kb-table-of-content-list{color:#d65a02;font-size:var(--global-kb-font-size-md, 1.25rem);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:before{background-color:rgba(255,255,255,0.99);}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id496_12fa29-fd .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}<\/style><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-dns-logging\">Why DNS logging?<\/h2>\n\n\n\n<p>DNS traffic is one of the most important logging for continuous network security monitoring. DNS requests will be sent whenever you are sending an email or browsing a website. Therefore, with DNS logging, we can easily identify email from known phishing domain, known phishing URL, access to known malicious C2 domain and even Typosquatting domain.<\/p>\n\n\n\n<p>In addition, there are tons of malicious ways which leverage standard DNS query to transfer payload, establish covert channel and data ex-filtration. Some interesting tools and exploits methods includes <a href=\"https:\/\/github.com\/iagox86\/dnscat2\">dnscat2<\/a>, <a href=\"https:\/\/ired.team\/offensive-security\/exfiltration\/payload-delivery-via-dns-using-invoke-powercloud\">PowerCloud<\/a>,<em> <\/em><a href=\"https:\/\/gsec.hitb.org\/materials\/sg2019\/D2%20COMMSEC%20-%20DFEX%20%E2%80%93%20DNS%20File%20EXfiltration%20-%20Emilio%20Couto.pdf\">HITB DNS&#8217; ex-filtration presentation<\/a>, <a href=\"https:\/\/github.com\/defcon-russia\/metasploit-framework\">Defcon Russia DNS payload for metasploit<\/a>, <a href=\"https:\/\/github.com\/Arno0x\/DNSExfiltrator\">DNSExfiltrator<\/a>, <a href=\"https:\/\/www.cobaltstrike.com\/help-dns-beacon\">Cobalt Strike&#8217;s DNS Beacon<\/a> \u53ca <a href=\"https:\/\/research.checkpoint.com\/2020\/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers\/\"><em>SIGRed<\/em>&nbsp;(CVE-2020-1350)<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-internationalized-domain-name\">Internationalized Domain Name<\/h2>\n\n\n\n<p>As you may also realize, you are able to use some Unicode domain name to access some website. However, when you use standard nslookup or dig tools, you cannot correctly resolve those DNS record. When you input the Unicode domain such as &#8220;\u4e2d\u6587\u57df\u540d.net&#8221; or &#8220;B\u00fccher.example&#8221; in your browser, your machine will help you converting the domain name to something like xn--fiq06l2rdsvs.net. All IDN domain have prefix &#8220;<strong>xn--<\/strong>&#8220;, and the Unicode domain will be converted to ASCII using punycode. So when you review the log and search for Unicode domain name, you will not able to find anything. In this case, you may need to convert the Unicode domain to IDN format first. There is some online converter such as <a href=\"https:\/\/www.punycode.io\/\">https:\/\/www.punycode.io\/<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-windows-dns-debug-logging\">Windows DNS debug Logging<\/h2>\n\n\n\n<p>DNS Debug Logging is available since Windows 2000 (<strong>Logging<\/strong> tab for Windows 2000). The log format between Windows 2000\/2003 and Windows 2008+ are different. In this post, we will only cover the information for Windows 2008+. Microsoft suggested to enable DNS analytics log instead of DNS debug log due to performance issue. We will discuss this later. However, <strong>ONLY DNS debug log provides parsed DNS DATA information<\/strong>, which is <strong>DNS reply<\/strong> from server. Those DNS answer provides additional value to your investigation, especially in the case attacker using DNS TXT record as C2 Covert Channel.<\/p>\n\n\n\n<p>To enable Windows DNS debug logging, follow these steps.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On your Windows DNS server, open &#8220;dnsmgmt.msc&#8221;<\/li>\n\n\n\n<li>right click the server and select <em><strong>Properties<\/strong><\/em>, then go to &#8220;Debug Logging&#8221; tab.<\/li>\n\n\n\n<li>Select <strong>&#8220;Details&#8221;<\/strong> to log <strong>DNS DATA<\/strong> (reply)<\/li>\n\n\n\n<li>The 2 options shown below both works, and it will not log duplicate packets. If you are in IR investigation, take a note of below 2 options to understand what is expected in the log file.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"415\" height=\"483\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_Debug_Logging_No_Request.png\" alt=\"Windows DNS Debug Logging No Request\" class=\"wp-image-509\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_Debug_Logging_No_Request.png 415w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_Debug_Logging_No_Request-258x300.png 258w\" sizes=\"auto, (max-width: 415px) 100vw, 415px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"412\" height=\"480\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_Debug_Logging_No_Outgoing.png\" alt=\"Windows DNS Debug Logging No Outgoing\" class=\"wp-image-510\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_Debug_Logging_No_Outgoing.png 412w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_Debug_Logging_No_Outgoing-258x300.png 258w\" sizes=\"auto, (max-width: 412px) 100vw, 412px\" \/><\/figure>\n\n\n\n<p>Also take a note that whenever the DNS server is restarted, the log file is cleared. <\/p>\n\n\n\n<p>TrustedSec had an <a href=\"https:\/\/www.trustedsec.com\/blog\/tracing-dns-queries-on-your-windows-dns-server\/\">article<\/a> discussed the structure of the DNS log file. In short, the log file provides many low level information, including the most important DNS reply. <\/p>\n\n\n\n<p>TrustedSec also wrote a powershell script to parse the DNS log file. However, it do not work in our environment(Windows 2012R2 and PowerShell 5). We have also developed another powershell script(<a href=\"https:\/\/github.com\/cybersecthreat\/DFIR\/blob\/master\/windows_dns_debug_log_parser.ps1\">windows_dns_debug_log_parser.ps1<\/a>) to parse the DNS debug log file in csv format.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/windows_dns_debug_log_parser_result.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"151\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/windows_dns_debug_log_parser_result-1024x151.png\" alt=\"Windows DNS Debug Log Parser Result\" class=\"wp-image-517\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/windows_dns_debug_log_parser_result-1024x151.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/windows_dns_debug_log_parser_result-300x44.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/windows_dns_debug_log_parser_result-768x113.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/windows_dns_debug_log_parser_result-600x89.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/windows_dns_debug_log_parser_result.png 1347w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">Result of windows_dns_debug_log_parser.ps1<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-dns-analytical-log\">DNS analytical log<\/h2>\n\n\n\n<p>DNS Analytical Log is available since Windows 2012 R2+. You will need to install KB2956577 for Windows 2012 R2 to use this feature. The performance hit of enabling DNS Analytical Log is low as suggested by Microsoft <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/dn800669(v=ws.11 ).aspx\">\u7db2\u5740<\/a>. <\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>There is no apparent performance impact for query rates of 50,000 QPS and lower.<\/p>\n<cite>Microsoft<\/cite><\/blockquote>\n\n\n\n<p>To enable DNS Analytical Log, follow these steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open &#8220;Windows Event Viewer&#8221;, click on &#8220;View&#8221; -&gt; &#8220;Show Analytical and Debug Logs&#8221;<\/li>\n\n\n\n<li>Navigate to &#8220;Application and Service Logs&#8221; -&gt; Microsoft-&gt; Windows -&gt; DNS-Server -&gt; Analytical<\/li>\n\n\n\n<li>right-click and select Enable Log<\/li>\n<\/ul>\n\n\n\n<p>As a side note, you <strong>CANNOT<\/strong> directly access the real time log without disable it. Analytical logs are stored in event trace log (*.etl) format. If you are Splunk fans, you cannot directly monitor it as regular Windows Event Log. For Spunk monitoring, there is an app available in <a href=\"https:\/\/splunkbase.splunk.com\/app\/4300\/\">splunkbase<\/a>. Basically, it includes a powershell script which copy the etl file to a tmp directory defined by $env:TEMP environmental variable. Then, the script will parse the temporary etl file and remove the etl file. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-dns-analytical-log-format\">DNS analytical log format<\/h3>\n\n\n\n<p>Now, we are going to explore the log format. Firstly, we will perform an nslookup.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"499\" height=\"343\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/nslookup.png\" alt=\"nslookup result\" class=\"wp-image-538\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/nslookup.png 499w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/nslookup-300x206.png 300w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><\/figure>\n\n\n\n<p>As you can seen below, the DNS analytical log provides some interesting field such as source, query and packet data, which is hex value of query or response.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"625\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256.png\" alt=\"Windows DNS analytical log Event Viewer EventID 256\" class=\"wp-image-540\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256.png 1366w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256-300x137.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256-1024x469.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256-768x351.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256-600x275.png 600w\" sizes=\"auto, (max-width: 1366px) 100vw, 1366px\" \/><\/a><\/figure>\n\n\n\n<p>We have include a comparison between Event Viewer and WireShark capture. Turns out, the PacketData is exactly the DNS payload right after the UDP header. The Event ID <strong>260<\/strong> contains exactly the same DNS payload as WireShark DNS <strong>request<\/strong>. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_260_first_query.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1112\" height=\"523\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_260_first_query.png\" alt=\"Windows DNS analytical log Event Viewer EventID 260 first query\" class=\"wp-image-545\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_260_first_query.png 1112w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_260_first_query-300x141.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_260_first_query-1024x482.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_260_first_query-768x361.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_260_first_query-600x282.png 600w\" sizes=\"auto, (max-width: 1112px) 100vw, 1112px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_request1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1324\" height=\"358\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_request1.png\" alt=\"WireShark DNS request 1\" class=\"wp-image-546\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_request1.png 1324w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_request1-300x81.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_request1-1024x277.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_request1-768x208.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_request1-600x162.png 600w\" sizes=\"auto, (max-width: 1324px) 100vw, 1324px\" \/><\/a><\/figure>\n\n\n\n<p>We have include another comparison between Event ID 261 and WireShark capture. The Event ID <strong>261<\/strong> contains exactly the same DNS payload as WireShark DNS <strong>reply<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png\"><img loading=\"lazy\" decoding=\"async\" width=\"788\" height=\"517\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png\" alt=\"Windows DNS analytical log Event Viewer EventID 261 first reply\" class=\"wp-image-553\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png 788w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply-300x197.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply-768x504.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply-600x394.png 600w\" sizes=\"auto, (max-width: 788px) 100vw, 788px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_reply1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1322\" height=\"547\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_reply1.png\" alt=\"WireShark DNS reply 1\" class=\"wp-image-554\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_reply1.png 1322w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_reply1-300x124.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_reply1-1024x424.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_reply1-768x318.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/WireShark_DNS_reply1-600x248.png 600w\" sizes=\"auto, (max-width: 1322px) 100vw, 1322px\" \/><\/a><\/figure>\n\n\n\n<p>Many industry expert including <a href=\"https:\/\/blog.menasec.net\/2019\/02\/threat-hunting-24-microsoft-windows-dns.html\">MENASEC<\/a> suggested Event ID 256 and 257 are enough for security analysis. So, if we also consider analysis PacketData, Are these 2 Event ID provides enough information ? To answer this question, we will use python <a href=\"https:\/\/pypi.org\/project\/dnslib\/\">dnslib<\/a> to analysis the packet data. Firstly, we will analysis the request packet. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256_2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"795\" height=\"517\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256_2.png\" alt=\"Windows DNS analytical log Event Viewer EventID 256 2\" class=\"wp-image-557\" style=\"width:580px;height:377px\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256_2.png 795w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256_2-300x195.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256_2-768x499.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_256_2-600x390.png 600w\" sizes=\"auto, (max-width: 795px) 100vw, 795px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_request.png\"><img loading=\"lazy\" decoding=\"async\" width=\"978\" height=\"206\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_request.png\" alt=\"python dnslib request\" class=\"wp-image-558\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_request.png 978w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_request-300x63.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_request-768x162.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_request-600x126.png 600w\" sizes=\"auto, (max-width: 978px) 100vw, 978px\" \/><\/a><\/figure>\n\n\n\n<p>As you can see above, the DNS request from Event ID 256 was decoded successfully and it contains all the request information needed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_257_2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"794\" height=\"519\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_257_2.png\" alt=\"Windows DNS analytical log Event Viewer EventID 257 2\" class=\"wp-image-559\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_257_2.png 794w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_257_2-300x196.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_257_2-768x502.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_257_2-600x392.png 600w\" sizes=\"auto, (max-width: 794px) 100vw, 794px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_reply.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"224\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_reply-1024x224.png\" alt=\"python dnslib reply\" class=\"wp-image-560\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_reply-1024x224.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_reply-300x66.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_reply-768x168.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_reply-600x131.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/python_dnslib_reply.png 1352w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p>As shown above, the DNS reply from Event ID 257 was also decoded successfully and it contains all the reply information needed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-a-word-about-dns-header\">A word about DNS header<\/h3>\n\n\n\n<p>We are not going to discuss too much about the DNS header. One good article is available <a href=\"https:\/\/www2.cs.duke.edu\/courses\/fall16\/compsci356\/DNS\/DNS-primer.pdf\">\u7db2\u5740<\/a>. There is a feature called <strong>DNS Pointer\/offset\/compression<\/strong>, which aimed to make the DNS packet as small as possible. In short, if the &#8220;word&#8221;(such as .com\/.net) exists in any part of DNS reply packet, the reply packet give an offset point back to the location of the &#8220;word&#8221;. The <a href=\"https:\/\/studfile.net\/preview\/2083070\/page:40\/\">sidestep<\/a> command successfully shown that this technique successfully evade IDS alerts. After so many years, <a href=\"https:\/\/research.checkpoint.com\/2020\/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers\/\">SIGRed<\/a> further use this pointer technique to cause buffer overflow of Windows DNS server. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-dns-analytical-log-parser\">DNS analytical log parser<\/h3>\n\n\n\n<p>We have developed 2 version of DNS analytical log parser. The <a href=\"https:\/\/github.com\/cybersecthreat\/DFIR\/blob\/master\/windows_dns_analytical_log_parser.py\">python version<\/a> is fast and it is capable to decode most DNS Packet Data field, but the information is sometimes too verbose. The <a href=\"https:\/\/github.com\/cybersecthreat\/DFIR\/blob\/master\/windows_dns_analytical_log_parser.ps1\">PowerShell version<\/a> is slower but capable to decode and format TXT record, CNAME record and A record more friendly. We use both version during our IR engagement, and the PowerShell script sometimes make us easier to spot suspicious TXT record.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-common-issue-of-dns-logging\">Common issue of DNS logging<\/h2>\n\n\n\n<p>We worked with many organization to help them establish continuous security monitoring. Certainly, DNS is a key data source. However, some organization may prefer to enable DNS logging on their Windows DNS server because they think they only allow DNS request from their DNS server. In many cases, it is not the story. We have experienced sysadmin simply configure google DNS as the DNS server of server inside DMZ. This greatly reduce the monitoring visibility.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<h2 class=\"wp-block-heading\" id=\"h-other-options-of-dns-logging\">Other Options of DNS logging<\/h2>\n\n\n\n<figure class=\"wp-block-table alignwide is-style-stripes\"><table><tbody><tr><td>Product<\/td><td>Implementation<\/td><td>Features<\/td><\/tr><tr><td>Splunk<\/td><td>UF installed on DNS server<\/td><td>Simple &amp; SIEM integration, Pre-parsed field, High license fee,  May not capture all traffic<\/td><\/tr><tr><td>Splunk<\/td><td>UF agent listen on network tap<\/td><td>Simple &amp; SIEM integration, Pre-parsed field, High license fee, Capture ALL DNS traffic if tapping on Internet gateway<\/td><\/tr><tr><td>Packetbeat<\/td><td>Installed on DNS server<\/td><td>Simple &amp; SIEM integration, Pre-parsed field, No license fee, May not capture all traffic<\/td><\/tr><tr><td>Packetbeat<\/td><td>agent listen on network tap<\/td><td>Simple &amp; SIEM integration, Pre-parsed field, No license fee, Capture ALL DNS traffic if tapping on Internet gateway<\/td><\/tr><tr><td>Bro\/Zeek<\/td><td>agent listen on network tap<\/td><td>Support by SIEM, Pre-parsed field text file, No license fee, Capture ALL DNS traffic if tapping on Internet gateway <\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n<p>In the above table, we have summarized some more options to log DNS payload for analysis. <a href=\"https:\/\/zeek.org\/\">Zeek<\/a>(formerly Bro) is a de-facto standard of network security analysis for many years. It had been adopted by many commercial vendors such as FireEye and Corelight. In addition, <a href=\"https:\/\/securityonion.net\/\">Security Onion<\/a> had integrated various open source security monitoring including Zeek and ELK. As you can see below, Zeek parsed the dns packet into some meta data and store into dns.log file. We have also adopted hybrid approach which use log from DNS server as primary threat hunting source, while Zeek dns.log as the secondary threat hunting source.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Bro_DNS_screen_capture.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"184\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Bro_DNS_screen_capture-1024x184.png\" alt=\"Bro\/Zeek DNS capture\" class=\"wp-image-593\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Bro_DNS_screen_capture-1024x184.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Bro_DNS_screen_capture-300x54.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Bro_DNS_screen_capture-768x138.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Bro_DNS_screen_capture-600x108.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Bro_DNS_screen_capture.png 1352w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-dns-over-https-doh\">DNS over HTTPS (DoH)<\/h2>\n\n\n\n<p>DoH is now a hot topic for security monitoring. Cloudfare had a great post explaining DoH <a href=\"https:\/\/blog.cloudflare.com\/dns-encryption-explained\/\">\u7db2\u5740<\/a>. While it can protect user&#8217;s privacy, but it also greatly increase the challenge of security monitoring. To deal with DoH in security monitoring, there is some options:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/live.paloaltonetworks.com\/t5\/blogs\/protecting-organizations-in-a-world-of-doh-and-dot\/ba-p\/313171\">Block dns-over-https using Palo Alto<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/isc.sans.edu\/forums\/diary\/Blocking+Firefox+DoH+with+Bind\/25316\/\">Blocking Firefox DoH with Bind<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sans.org\/reading-room\/whitepapers\/dns\/paper\/39560\">Dealing with DoH: Methods to Increase DNS Visibility as DoH Gains Traction<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Preface Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction for continuous security monitoring. However, sometimes we do not have an option, especially when Windows DNS debug\/analytics log is the only available data source during IR investigation. In the first part of this post, we will discuss the Windows&#8230;<\/p>","protected":false},"author":2,"featured_media":553,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[42,43,28,23,39,45],"tags":[21,56,19,29,20,22,30,55],"class_list":["post-496","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blue-team","category-incident-response","category-powershell","category-splunk","category-sysmon","category-threat-hunting","tag-blue-team","tag-dns","tag-incident-response","tag-powershell","tag-splunk","tag-sysmon","tag-threat-hunting","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Windows DNS logging - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction using for continuous security monitoring.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/24\/windows-dns-logging\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Windows DNS logging\" \/>\n<meta property=\"og:description\" content=\"Preface Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction for continuous security monitoring. However,\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/24\/windows-dns-logging\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-24T15:07:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-01T05:51:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png\" \/>\n\t<meta property=\"og:image:width\" content=\"788\" \/>\n\t<meta property=\"og:image:height\" content=\"517\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"Windows DNS logging\",\"datePublished\":\"2020-07-24T15:07:19+00:00\",\"dateModified\":\"2024-04-01T05:51:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/\"},\"wordCount\":1538,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png\",\"keywords\":[\"Blue Team\",\"DNS\",\"Incident Response\",\"PowerShell\",\"Splunk\",\"Sysmon\",\"Threat Hunting\",\"Windows\"],\"articleSection\":[\"Blue Team\",\"Incident Response\",\"PowerShell\",\"Splunk\",\"Sysmon\",\"Threat Hunting\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/\",\"name\":\"Windows DNS logging - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png\",\"datePublished\":\"2020-07-24T15:07:19+00:00\",\"dateModified\":\"2024-04-01T05:51:10+00:00\",\"description\":\"Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction using for continuous security monitoring.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png\",\"width\":788,\"height\":517,\"caption\":\"Windows DNS analytical log Event Viewer EventID 261 first reply\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blue Team\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/blue-team\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Windows DNS logging\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/24\\\/windows-dns-logging\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Windows DNS logging - CyberSecThreat","description":"Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction using for continuous security monitoring.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/24\/windows-dns-logging\/","og_locale":"zh_TW","og_type":"article","og_title":"Windows DNS logging","og_description":"Preface Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction for continuous security monitoring. However,","og_url":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/24\/windows-dns-logging\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2020-07-24T15:07:19+00:00","article_modified_time":"2024-04-01T05:51:10+00:00","og_image":[{"width":788,"height":517,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"10 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"Windows DNS logging","datePublished":"2020-07-24T15:07:19+00:00","dateModified":"2024-04-01T05:51:10+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/"},"wordCount":1538,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png","keywords":["Blue Team","DNS","Incident Response","PowerShell","Splunk","Sysmon","Threat Hunting","Windows"],"articleSection":["Blue Team","Incident Response","PowerShell","Splunk","Sysmon","Threat Hunting"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/","url":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/","name":"Windows DNS logging - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png","datePublished":"2020-07-24T15:07:19+00:00","dateModified":"2024-04-01T05:51:10+00:00","description":"Windows DNS logging is NOT our recommended method to collect DNS request and reply transaction using for continuous security monitoring.","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png","width":788,"height":517,"caption":"Windows DNS analytical log Event Viewer EventID 261 first reply"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blue Team","item":"https:\/\/cybersecthreat.com\/category\/blue-team\/"},{"@type":"ListItem","position":2,"name":"Windows DNS logging"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/24\/windows-dns-logging\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":42,"label":"Blue Team"},{"value":43,"label":"Incident Response"},{"value":28,"label":"PowerShell"},{"value":23,"label":"Splunk"},{"value":39,"label":"Sysmon"},{"value":45,"label":"Threat Hunting"}],"post_tag":[{"value":21,"label":"Blue Team"},{"value":56,"label":"DNS"},{"value":19,"label":"Incident Response"},{"value":29,"label":"PowerShell"},{"value":20,"label":"Splunk"},{"value":22,"label":"Sysmon"},{"value":30,"label":"Threat Hunting"},{"value":55,"label":"Windows"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/Windows_DNS_analytical_log_Event_Viewer_EventID_261_first_reply.png",788,517,false],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":0,"category_info":[{"term_id":42,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":42,"taxonomy":"category","description":"","parent":0,"count":14,"filter":"raw","cat_ID":42,"category_count":14,"category_description":"","cat_name":"Blue Team","category_nicename":"blue-team","category_parent":0},{"term_id":43,"name":"Incident Response","slug":"incident-response","term_group":0,"term_taxonomy_id":43,"taxonomy":"category","description":"","parent":0,"count":5,"filter":"raw","cat_ID":43,"category_count":5,"category_description":"","cat_name":"Incident Response","category_nicename":"incident-response","category_parent":0},{"term_id":28,"name":"PowerShell","slug":"powershell","term_group":0,"term_taxonomy_id":28,"taxonomy":"category","description":"","parent":0,"count":3,"filter":"raw","cat_ID":28,"category_count":3,"category_description":"","cat_name":"PowerShell","category_nicename":"powershell","category_parent":0},{"term_id":23,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":23,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":23,"category_count":10,"category_description":"","cat_name":"Splunk","category_nicename":"splunk","category_parent":0},{"term_id":39,"name":"Sysmon","slug":"sysmon","term_group":0,"term_taxonomy_id":39,"taxonomy":"category","description":"","parent":0,"count":2,"filter":"raw","cat_ID":39,"category_count":2,"category_description":"","cat_name":"Sysmon","category_nicename":"sysmon","category_parent":0},{"term_id":45,"name":"Threat Hunting","slug":"threat-hunting","term_group":0,"term_taxonomy_id":45,"taxonomy":"category","description":"","parent":0,"count":3,"filter":"raw","cat_ID":45,"category_count":3,"category_description":"","cat_name":"Threat Hunting","category_nicename":"threat-hunting","category_parent":0}],"tag_info":[{"term_id":21,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":21,"taxonomy":"post_tag","description":"","parent":0,"count":13,"filter":"raw"},{"term_id":56,"name":"DNS","slug":"dns","term_group":0,"term_taxonomy_id":56,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":19,"name":"Incident Response","slug":"incident-response","term_group":0,"term_taxonomy_id":19,"taxonomy":"post_tag","description":"","parent":0,"count":6,"filter":"raw"},{"term_id":29,"name":"PowerShell","slug":"powershell","term_group":0,"term_taxonomy_id":29,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"},{"term_id":20,"name":"Splunk","slug":"splunk","term_group":0,"term_taxonomy_id":20,"taxonomy":"post_tag","description":"","parent":0,"count":8,"filter":"raw"},{"term_id":22,"name":"Sysmon","slug":"sysmon","term_group":0,"term_taxonomy_id":22,"taxonomy":"post_tag","description":"","parent":0,"count":2,"filter":"raw"},{"term_id":30,"name":"Threat Hunting","slug":"threat-hunting","term_group":0,"term_taxonomy_id":30,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"},{"term_id":55,"name":"Windows","slug":"windows","term_group":0,"term_taxonomy_id":55,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=496"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/496\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/553"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=496"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}