0

Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.

treiman
  • 43
  • 1
  • 1
  • 5
  • Why do you want to track *responses*? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom"). – bjoster Apr 10 '19 at 13:43
  • @bjoster: Basically for passive DNS purposes. – treiman Apr 11 '19 at 11:17

1 Answers1

1

There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.

I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output.

{
    "EventTime": "2017-03-10 09:51:03",
    "Provider": "Microsoft-Windows-DNSServer",
    "TCP": "0",
    "InterfaceIP": "10.2.0.162",
    "Source": "10.2.0.198",
    "RD": "1",
    "QNAME": "nickelfreesolutions.com.",
    "QTYPE": "1",
    "XID": "11675",
    "Port": "22416",
    "Flags": "256",
    "BufferSize": "41",
    "PacketData":
"0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
    "EventReceivedTime": "2017-03-10 09:51:04",
    "SourceModuleName": "etw_in",
    "SourceModuleType": "im_etw"
}
evandrix
  • 113
  • 1
  • 4
NASAhorse
  • 111
  • 4
  • We are using exactly the same setup in this case (NXLog + JSON), and I know that the PacketData field is there. My question rather is that how exactly should I decode the data and whether it should contain the response or not? – treiman Apr 18 '19 at 10:48
  • @treiman I would also suggest adding the topic on the community forum https://nxlog.co/community-forum - good luck! – NASAhorse Apr 19 '19 at 11:04