Is it possible to extract the DNS responses from Microsoft DNS Server Analytical logs (Microsoft-Windows-DNS-Server/Analytical)? The logs contain a field called "PacketData" in the EventData section of the event, but so far I have unable to extract anything useful from the PacketData field.
Asked
Active
Viewed 739 times
0
-
Why do you want to track *responses*? You could just send a request to see the same answer. As of today, there is no way to extract given responses (aka "how many time google.com has been requested and by whom"). – bjoster Apr 10 '19 at 13:43
-
@bjoster: Basically for passive DNS purposes. – treiman Apr 11 '19 at 11:17
1 Answers
1
There are two places to find Windows DNS server logs - first, as you mentioned is via the DNS debug log file. There is also data available via Windows ETW Providers (Microsoft-Windows-DNS-Server-Service, Microsoft-Windows-DNSServer). I've used something like Microsoft Message Analyzer to do an event trace session, also a log collector NXLog (note: am involved in that project) to collect event trace data from the ETW Provider and write these out to JSON.
I know for sure that the PacketData field is found when you do an ETW trace of the Microsoft-Windows-DNSServer ETW Provider. See below for an excerpt using NXLog im_etw module with the JSON output.
{
"EventTime": "2017-03-10 09:51:03",
"Provider": "Microsoft-Windows-DNSServer",
"TCP": "0",
"InterfaceIP": "10.2.0.162",
"Source": "10.2.0.198",
"RD": "1",
"QNAME": "nickelfreesolutions.com.",
"QTYPE": "1",
"XID": "11675",
"Port": "22416",
"Flags": "256",
"BufferSize": "41",
"PacketData":
"0x2D9B01000001000000000000136E69636B656C66726565736F6C7574696F6E7303636F6D0000010001",
"EventReceivedTime": "2017-03-10 09:51:04",
"SourceModuleName": "etw_in",
"SourceModuleType": "im_etw"
}
-
We are using exactly the same setup in this case (NXLog + JSON), and I know that the PacketData field is there. My question rather is that how exactly should I decode the data and whether it should contain the response or not? – treiman Apr 18 '19 at 10:48
-
@treiman I would also suggest adding the topic on the community forum https://nxlog.co/community-forum - good luck! – NASAhorse Apr 19 '19 at 11:04