Dns Query Logging Fundamentals and Troubleshooting

Author

Reads 503

Various tangled wires connected to system near black metal cases in server room
Credit: pexels.com, Various tangled wires connected to system near black metal cases in server room

Dns query logging is a powerful tool for monitoring and troubleshooting DNS issues. It helps you understand how your DNS is being used and identify potential problems.

A DNS query log can contain a vast amount of data, including the type of query, the IP address of the client making the query, and the response from the DNS server.

To make sense of this data, you need to understand the fundamentals of DNS query logging. This includes knowing what types of queries are being made, such as recursive or iterative queries, and what the common DNS response codes are, like NXDOMAIN or SERVFAIL.

A well-configured DNS query log can help you troubleshoot issues quickly, such as identifying why a website is not resolving or why a DNS server is not responding.

Enabling and Disabling Logging

Enabling and disabling logging for DNS query logging can be done in various ways.

To enable logging for a private managed zone, run the dns policies create command. This will enable query logging for every DNS query to the zone.

For more insights, see: Azure Dns Zones

Credit: youtube.com, Using the Query Log

For public managed zones, you can enable logging by running the dns managed-zones update command and replacing ZONE_NAME with the name of the zone. To turn off logging, simply run the same command again with the same zone name.

Alternatively, you can use NXLog Platform to implement checksum-based and real-time file integrity monitoring for your DNS configuration files.

Here's a summary of the commands for enabling and disabling logging:

Enable and Disable Logging

To enable logging for a private managed zone, you can use DNS policies. If your network doesn't have a DNS policy, you can create one using the `dns policies create` command.

To enable logging for a managed public zone, you need to run the `dns managed-zones update` command. Replace `ZONE_NAME` with the name of the zone you want to enable logging for.

To disable logging for a managed public zone, you'll also use the `dns managed-zones update` command, replacing `ZONE_NAME` with the name of the zone you want to disable logging for.

For another approach, see: Googler Dns

Computer server in data center room
Credit: pexels.com, Computer server in data center room

There are different types of logging available for Windows DNS Server events. DNS analytical logging uses the Event Tracing for Windows (ETW) system to provide high-performance logging of all DNS transactions.

DNS auditing is also available, and it's enabled by default in Windows Server 2016 or 2012 R2 with hotfix 2956577. Audit logs are written to the Microsoft-Windows-DNS-Server/Audit log in the Windows Event Log.

Here's a summary of the logging types available for Windows DNS Server:

Bind 9 Logging

Bind 9 Logging is a crucial aspect of DNS server management. To enable query logging in Bind, you need to add a specific snippet to the /etc/bind/named.conf.options file.

This snippet defines different logging channels, which can be a log file or a syslog facility. Each channel logs messages to a specified location. You can map different categories of events to one or more channels for fine-grained logging control.

For example, you can send the default and queries events to your default log file. The complete list of categories can be found in the Bind documentation.

Credit: youtube.com, understanding bind9 query log

To implement Bind 9 logging effectively, you should also consider file integrity monitoring. This can be done using tools like NXLog Platform, which offers checksum-based and real-time file integrity monitoring.

Here's a list of some common Bind 9 logging categories and their descriptions:

  • update-security: Security-related events
  • queries: Query-related events
  • analytical: Analytical events

Remember to restart Bind after making any changes to the logging configuration. The log file, /var/log/bind/default.log, will start to fill with lines that provide valuable information about DNS queries and events.

Troubleshooting and Monitoring

You can monitor the rate of DNS queries and responses with Cloud DNS, which exports metrics to Cloud Monitoring. This allows you to track the number of queries and responses that point to private zones, forwarding zones, policy forwarding, internal Google Cloud zones, and the internet.

Private DNS exports a metric called dns.googleapis.com/query/response_count delta that contains the response_code label. The response_code label has possible values of NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMP, and UNKNOWN.

Cloud Monitoring offers a detailed view of your DNS query logs, including the ability to filter and analyze specific types of queries and responses. With NXLog Platform, you can also collect and process DNS logs from Windows DNS Server debug logging files and Windows Event Logs.

Additional reading: Azure Devops Queries

Troubleshoot Outbound Forwarding

Credit: youtube.com, How to Troubleshoot External Network Issues

If you receive logs containing SERVFAIL, it's essential to check for missing fields such as destinationIP, egressIP, and egressError.

These fields provide crucial information about the outgoing traffic, and their absence can make it difficult to identify the root cause of the issue.

For logs missing these fields, refer to the Troubleshooting documentation for further assistance.

Monitor Metrics

Monitoring your DNS metrics is crucial for troubleshooting and identifying potential issues. Cloud DNS exports monitoring metrics to Cloud Monitoring, allowing you to track the rate of DNS queries and responses.

You can monitor the rate of DNS queries and responses that point to private zones, forwarding zones, policy forwarding, internal Google Cloud zones, and the internet. Monitoring is available on the Google Cloud console Monitoring page and in the Cloud Monitoring API.

Private DNS exports the dns.googleapis.com/query/response_count delta metric that contains the response_code label. This label is of type string with possible values of NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMP, and UNKNOWN.

Here's a breakdown of the possible response codes:

DNS threat detection metrics are also available when you have a DNS threat detector monitoring your VPC network.

Windows Server Logging

Credit: youtube.com, How To Use The Windows Event Viewer For Cyber Security Audit

Windows Server Logging can be a bit complex, but don't worry, I've got you covered. There are four types of logging available for Windows DNS Server events.

DNS analytical logging uses the Event Tracing for Windows (ETW) system to provide high-performance logging of all DNS transactions. This is the preferred method for collecting DNS Server transaction logs, available beginning with Windows Server 2016 or as a hotfix for Server 2012 R2.

DNS Server performance should not be affected except during very high query rates. For more information, see DNS Logging and Diagnostics on Microsoft Docs.

DNS auditing was also introduced alongside the analytical DNS logging changes—with Windows Server 2016 or 2012 R2 with hotfix 2956577—and is enabled by default. These audit logs are written to the Microsoft-Windows-DNS-Server/Audit log in the Windows Event Log.

On systems without native DNS auditing (prior to 2012 R2, or 2012 R2 without hotfix 2956577), DNS changes can be audited by enabling AD Directory Services auditing. These events are written to the Microsoft-Windows-Security-Auditing log in the Windows Event Log.

The NXLog Platform incorporates many different techniques for parsing event messages, and is designed around the concept of structured logging. This allows for easy filtering, classification, and correlation of events for monitoring.

A different take: Fortigate Dns Server

Propagation and Verification

Credit: youtube.com, DNS: How to configure log query DNS on Bind

You can use the watch and dig commands to verify that your DNS name server has picked up your changes. The watch command runs the dig command every 2 seconds by default.

To look up your zone's name servers, run the dns managed-zones describe command and replace ZONE_NAME with the name of your Cloud DNS zone. This will give you the name servers for your managed zone.

The dig command can be used to check if the records are available yet on your authoritative name server. Run the dig command with the name server's address, replacing ZONE_NAME_SERVER with one of the name servers from the managed zone.

You can use the dig command to determine when your authoritative name server picks up your change, which should happen within 120 seconds. After your authoritative name server has the change, DNS resolvers can start to pick up the new record.

Resolvers that already have the previous record cached wait for the previous TTL value of the record to expire.

For your interest: Nord Vpn Dns Server

Prerequisites and Configuration

Credit: youtube.com, "Understanding DNS Packets: Exploring DNS Query and Response Messages"

To get started with DNS query logging, you'll need a few things in place. First, you should have a bind server installed and configured on your network.

All devices on your network should be using this DNS server, so make sure that's set up correctly.

You'll also need a Ubuntu 20.04 server, as that's what the author used for this blog post.

To enable query logging in bind, you'll need to add a specific snippet to the end of the /etc/bind/named.conf.options file.

This snippet will define different logging channels, which can be log files or syslog facilities.

The author used the following snippet to send default and queries events to the default log file.

Prerequisites

Before we dive into the configuration process, let's make sure we have the necessary setup in place. For this article, we assume that you already have a bind server installed and configured on your network.

All devices on your network should be configured to use this DNS server, so make sure that's taken care of.

You'll also need a Ubuntu 20.04 server, which is the operating system I used for this example.

Bind Configuration

Credit: youtube.com, How to Install DNS (BIND) on CentOS -- Prerequisite

To enable query logging in bind, you'll need to add a specific snippet to the /etc/bind/named.conf.options file. This snippet defines different logging channels, which can be either a log file or a syslog facility.

You can map different categories of events to one or more channels, allowing for fine-grained logging. For example, you can send the default and queries events to your default log file.

The complete list of categories can be found in the BIND 9 documentation, which is linked to in the example. To activate query logging, you'll need to restart the bind service.

The resulting log file, /var/log/bind/default.log, will contain lines with detailed information about each query, including the client's IP address, source port, and the query itself. Here are some examples of additional information that may be included:

  • + : Recursion Desired flag was set
  • S : the query was signed
  • E : EDNS was in use, with EDNS version number
  • T : TCP was used
  • D : DO (DNSSEC Ok) was set
  • C : CD (Checking Disabled) was set
  • V : a valid DNS Server COOKIE was received
  • K : a DNS COOKIE option without a valid Server COOKIE

Columns

The Columns section is a crucial part of understanding the structure of your data. This section breaks down the various columns that make up your data, each with its own unique description.

Explore further: Data Lake Query

Credit: youtube.com, Configure Info Column Fields Demo

You'll notice that the columns are categorized into different types, such as dynamic, real, string, and datetime. This is important to keep in mind when working with your data.

The columns include AdditionalRecords, Answer, Authority, and _BilledSize, which are all dynamic types. These columns contain arrays of additional resource records, answers for DNS queries, authority DNS servers for DNS queries, and the record size in bytes, respectively.

Here's a breakdown of the columns:

Each column provides a unique piece of information that can help you understand your data better.

Analysis and Reporting

With dns query logging in place, you can start analyzing what happens on your network. This allows you to identify trends and patterns in your dns traffic.

You can list the most often queried domain names, which will give you a sense of which domains are being accessed most frequently. For example, you might see a list of top queries, grouped by level-3 domain, which can help you identify patterns and anomalies.

On a similar theme: Dns Domain Namespace

Credit: youtube.com, Using the Query Log

Analyzing the data, you might notice that some domains have a long list of sub-sub-sub domains, like 2.tlu.dl.delivery.mp.microsoft.com. Grouping them by level-3 domain, such as mp.microsoft.com, can help you summarize the data and identify key trends.

You can also group the data by level-2 domains to summarize even more, which can be useful for getting a high-level view of your dns traffic. This can help you identify which domains are being accessed most frequently, and which ones are causing issues.

Finally, you can list the devices that sent the most queries, which can help you identify which devices are causing the most traffic on your network. This can be useful for troubleshooting and optimizing your network performance.

Monitoring metrics is also an important part of dns query logging. Cloud DNS exports monitoring metrics to Cloud Monitoring, where you can track the rate of dns queries and responses that point to private zones, forwarding zones, policy forwarding, internal Google Cloud zones, and the internet.

Logging and Security Practices

Credit: youtube.com, how to CORRECTLY read logs as a Cybersecurity SOC Analyst

Enabling logging for Cloud DNS private managed zones can be done using DNS policies, which allows you to track every DNS query to the zone.

You can enable logging for a network without a DNS policy by running the `dns policies create` command.

Enterprise environments often employ various DNS server technologies, each with unique logging and security capabilities.

The differences in how these platforms handle DNS logging and security are crucial for ensuring comprehensive DNS threat detection and incident response.

BIND 9 DNS logging uses channels and categories, with each channel logging messages to a specified Syslog facility or file.

File integrity monitoring can be implemented for BIND 9 configuration files, such as those in the `/etc/bind/` directory.

Windows DNS Server logging offers four types of logging: DNS analytical logging, DNS auditing, debug logging, and AD Directory Services auditing.

DNS analytical logging uses the Event Tracing for Windows (ETW) system to provide high-performance logging of all DNS transactions.

Expand your knowledge: Azure Security Logs

Credit: youtube.com, Splunk Basics: DNS Log Analysis

The NXLog Platform enhances DNS monitoring and security by providing features such as log collection technology, log parsing, and efficient log storage.

NXLog Platform's log collection technology includes a feature that can collect logs by implementing an ETW consumer, allowing for direct collection of DNS analytical logs from ETW.

With NXLog Platform, you can efficiently store large volumes of DNS logs without sacrificing performance or scalability.

Parsing with PowerShell

Parsing with PowerShell is a crucial step in analyzing DNS query logs.

A basic PowerShell script, which can be found at TraceDetailedDNSLogs.ps1, can aid in parsing these logs by pulling four key values: source IP connection, port, name being resolved, and the IP address included in the response.

The script filters on any record where the address resolved was 127.0.0.2, a unique IP that's essential for distinguishing between legit queries and wildcard-based queries.

This unique IP helps avoid confusion between legitimate DNS queries and those initiated by a wildcard.

The PowerShell script is a helpful tool for parsing DNS query logs, making it easier to analyze and identify potential issues.

Check this out: Azure Dns Server Ip

Margarita Champlin

Writer

Margarita Champlin is a seasoned writer with a passion for crafting informative and engaging content. With a keen eye for detail and a knack for simplifying complex topics, she has established herself as a go-to expert in the field of technology. Her writing has been featured in various publications, covering a range of topics, including Azure Monitoring.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.