sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard

Published 20 hours ago verified publisher icon SwiftOnSecurity

DNS Logging from Domain Controller/DNS Server

Open rbonfadini opened this issue 5 years ago • 4 comments

We're running into issues with deploying the new 10.2 version of Sysmon and the Alpha xml config. Right now, it is generating EventCode 22s for local DNS queries made on the actual Domain Controller. This was tested using ping to make a number of different calls. However, we noticed that we weren't receiving any external DNS queries from domain users. This particular DC is also configured as a DNS server so I was curious if anyone else has figured out how to log the routed DNS queries being made from end-users in their environment.

tl;dr We would like to capture all DNS queries being routed through the DC/DNS server, not just local queries. Has anyone figured out how to do this?

rbonfadini avatar Aug 12 '19 21:08 rbonfadini

That is not what the new Sysmon DNS logging feature was designed to do. Would be nice, but you're only going to get Windows DNS server query information from either packet sniffing, DNS debug logging, or the DNS ETL log. Neither of which are very easy to work with.

jokezone avatar Aug 13 '19 00:08 jokezone

I'm collecting the DNS queries @ the client level ... where the action is actually happening. This way you can also get the client queries that happen when they have been off the network and if you have a hybrid WAN environment that may have DNS requests going in multiple directions (not ideal, but possible).

robertstrom avatar Aug 27 '19 19:08 robertstrom

I was only responding to OP trying to use Sysmon to collect client DNS traffic from an AD DNS server. But since we're on the topic of other ways to collect DNS logs...

As @robertstrom mentioned, collecting the client-side DNS events is a good alternative to using the DC/DNS server as the log source, especially if you have clients that may point to DNS servers outside of your control. Just keep in mind that with this method you will not be collecting DNS traffic from non-Windows devices on your network. No solution is 100% but this is a pretty good place to start.

To do this, you must enable the DNS Client event log with this command:

WevtUtil.exe set-log Microsoft-Windows-DNS-Client/Operational /e:true /ms:102432768

The below events are logged for each DNS request and response:

Log Name: Microsoft-Windows-DNS-Client/Operational Source: Microsoft-Windows-DNS-Client Event ID: 3010 Level: Information Description: DNS Query sent to DNS Server 192.168.1.1 for name www.xyz.com and type 1

Log Name: Microsoft-Windows-DNS-Client/Operational Source: Microsoft-Windows-DNS-Client Event ID: 3020 Level: Information Description: Query response for name www.xyz.com, type 1, interface index 0 and network index 0 returned 0 with results type: 5 xyz.com;50.63.202.17;type: 2 ns08.domaincontrol.com;type: 2 ns07.domaincontrol.com;216.69.185.4;2607:f208:206::4;208.109.255.4;2607:f208:302::4;

The following query filter can be added to the WEC subscription to collect these events:


<QueryList>
    <Query Id="0" Path="Microsoft-Windows-DNS-Client/Operational">
    <!-- DNS Client query events -->
    <Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3010 or EventID=3020)]]</Select>
    <!-- suppresses local machine name resolution events -->
    <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress>
    <!-- suppresses empty name resolution events -->
    <Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]</Suppress>
    </Query>
</QueryList>

My only gripe with this is I couldn't figure out a way to suppress events based on a partial domain name. It seems that that the XPath implementation used does not support the contains function.

jokezone avatar Aug 28 '19 07:08 jokezone

@jokezone - I am just using the Sysmon DNS query logging (and you can suppress whatever you want to suppress with this method). I did not enable the Client DNS log as you described above. While Win7 is on the way the out the Client DNS log on it does not capture the actual queries (Win10 does). Doing it this way you only have to enable the collection of the Sysmon logs for the collection using WEC.

Dns query: RuleName: UtcTime: 2019-09-10 23:29:01.550 ProcessGuid: {b82b0088-1097-5d78-0000-0010e0cb4800} ProcessId: 8992 QueryName: collector.githubapp.com QueryStatus: 0 QueryResults: type: 5 analytics-collector-28944298.us-east-1.elb.amazonaws.com;3.224.219.57;52.55.167.2;34.194.228.114; Image: C:\Program Files (x86)\Zscaler\ZSATunnel\ZSATunnel.exe

At this time I am not enabling DNS query logging on the DC's. As mentioned, VERY noisy!

robertstrom avatar Sep 10 '19 23:09 robertstrom