DNS Activity

Harnessing DNS Logs for Threat Detection: A Comprehensive Guide

DNS plays a pivotal role in network communication, and its logs are invaluable for identifying malicious activities. This lesson explores how to enable DNS logging and analyze key event IDs for threat hunting and forensic investigation.

Enabling DNS Logging

To monitor DNS queries, start by enabling DNS Client Events in the Event Viewer:

  1. Open Event Viewer

  2. Navigate to: Applications and Services Logs > Microsoft > Windows > DNS Client Events > Operational

  3. Enable Log:

    • Right-click Operational and select Enable Log.

Key DNS Event IDs for Analysis

Once DNS logging is enabled, the following Event IDs become critical for analysis:

Event ID 3006: DNS Query Initiation

This event records each DNS query initiated by the system.

Field Highlights:

  • QueryName: Domain name queried.

  • Process: Application that initiated the query.

Example Analysis:

  • Event ID: 3006

  • QueryName: letsdefend.io

  • Process: chrome.exe

This indicates that chrome.exe initiated a DNS query for letsdefend.io.

Event ID 3010: DNS Query Sent to Upstream Server

Logs when the internal DNS server forwards a query to an upstream DNS server.

Field Highlights:

  • QueryName: Queried domain.

  • ServerAddress: Address of the upstream DNS server.

Example Analysis:

  • Event ID: 3010

  • QueryName: letsdefend.io

  • ServerAddress: 8.8.8.8

This confirms the internal DNS server forwarded the query for letsdefend.io to Google’s public DNS server (8.8.8.8).

Event ID 3011: DNS Query Response Received

Logs when a response is received for a DNS query.

Field Highlights:

  • QueryName: Domain name queried.

  • ResponseCode: Status of query resolution.

Example Analysis:

  • Event ID: 3011

  • QueryName: letsdefend.io

  • ResponseCode: NoError

This indicates that the query for letsdefend.io was successfully resolved.

Threat Hunting with DNS Logs

DNS logs are instrumental in detecting malicious activity such as DNS tunneling and C2 (Command and Control) communication. Here's how to effectively use these logs:

1. Identify Suspicious Domains

  • Utilize Event ID 3006 to track all domain queries.

  • Cross-reference queried domains with threat intelligence feeds or known malicious indicators.

2. Validate Query Behavior

  • Use Event ID 3010 to verify if domain queries were forwarded to upstream servers.

  • Investigate domains frequently resolved by endpoints outside normal behavior patterns.

3. Monitor DNS Responses

  • Analyze Event ID 3011 to review domain resolution outcomes.

  • Pay close attention to unusual ResponseCodes:

    • NXDOMAIN: Non-existent domain.

    • SERVFAIL: Server failure.

These may indicate attempted communication with non-legitimate or misconfigured domains during an attack.

4. Correlate with Other Artifacts

  • Examine DNS logs alongside other data sources (e.g., firewall logs, process creation logs).

  • Correlate DNS activity with detected C2 traffic or exploit attempts to uncover malicious behavior.

Key Points

By enabling and analyzing DNS logs, particularly Event IDs 3006, 3010, and 3011, defenders can gain critical visibility into domain queries and responses. These logs provide actionable insights to:

  • Detect adversarial behavior.

  • Investigate DNS-based threats.

  • Secure the network against a variety of attacks, including DNS tunneling and unauthorized domain resolutions.

Make DNS logs a cornerstone of your threat detection and response strategy.

PreviousProcess CreationNextFile/Folder Monitoring

Last updated