Back Arrow Back to All Integrations

Microsoft Windows DNS

Microsoft Windows DNS

Windows Server – DNS

Windows Domain Name System (DNS) maps computer names to IP addresses, and provides name resolution services to computers and users.

 

The DNS Client service is included in all client and server versions of the Windows operating system, and is running by default upon operating system installation.

 

Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response for DNS (Domain Name System). Blumira supports the following Microsoft Windows server operating systems:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012R2
  • Windows Server 2012
  • Windows Server 2008R2
  • Windows Server 2008
  • Windows Server 2003R2
  • Windows Server 2003

Blumira provides broad coverage for Windows Servers including collecting logs using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.

Setting up NXLog for Windows

You will need to first install and configure NXLog on the windows host using these instructions: https://www.blumira.com/integration/windows-server/

How to Obtain DNS Logs

There are several steps involved in obtaining all DNS logs:

  1. Follow the recommended GPO settings here: Suggested Windows GPO settings
  2. Open ADSI Edit → Connect to Default naming context → Expand DomainDNS object with the name of your domain → System → Right сlick MicrosoftDNS → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and all descendant objects” → Permissions → Select the additional check boxes: Write all properties, Delete, Delete subtree → Click “OK”.
  3. Open DNS Manager → Expand your servername → Forward Lookup Zone → Right click the zone you want to audit → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and all descendant objects” → Permissions → Select the additional check boxes: Write all properties, Delete, Delete Subtree → Click “OK”.
  4. Use the following four commands to enable debug logging. Blumira recommends logging full packets (Bottom table entry)

For the log level, add together the event codes you want logged and specify the result in hex.

> dnscmd <ServerName> /Config /LogLevel <EventFlagSumInHex>
Hexadecimal value Decimal value Descriptions
0x0 0 No logging. (This is the default)
0x1 1 Queries transactions
0x10 16 Notifications transactions
0x20 32 Updates transactions
0xFE 254 Non-queries transactions
0x100 256 Question packets
0x200 512 Answer packets
0x1000 4096 Send packets
0x2000 8192 Receive packets
0x4000 16384 UDP packets
0x8000 32768 TCP packets
0xFFFF 65535 All packets
0x10000 65536 AD write transactions
0x20000 131072 AD update transactions
0x1000000 16777216 Full packets