Monitor Windows DNS Server using DNS Analytics (Preview) in
Log Analytics
This article helps you use the DNS Analytics solution in Log Analytics to gather security,
performance and operations related insights into DNS infrastructure. To do this, the
solution collects, analyzes and correlates Windows DNS analytic and audit logs and
other related data from the DNS servers.
Available insights include:
Identification of clients which are trying to resolve malicious domain names
Identification of stale resource records
Identification of frequently queried domain names and talkative DNS clients
View into requests load on DNS servers
Insights into dynamic DNS registration failures
Data collection details
The following table shows data collection methods and other details about how data is
collected for DNS Analytics.
platform
Direct
Agent
SCOM
agent
Azure
Storage
SCOM
required?
SCOM agent
data sent via
management
group
collection
frequency
Windows
Server
(2012R2
and
above)
DNS
Analytic
and Event
logs
collected
near real-
time. DNS
Inventory
data
collected
every 48
hours
The solution pulls DNS inventory and DNS events related data from the DNS servers on
which the OMS agent is installed. This data is then uploaded to OMS and presented to
you on solution dashboard. The inventory related data (number of DNS servers, zones,
resource records etc.) is collected by running the DNS Powershell Cmdlets, and is
updated once every 2 days. The event related data is collected near real-time from the
Analytic and Audit logs provided by enhanced DNS logging and diagnostics in Windows
Server 2012 R2.
Installing the solution
Use the following information to install and configure the solution.
You must have a Windows or Operations Manager agent on each DNS server which you want
to monitor.
Add the DNS Analytics solution to your OMS workspace from the Azure marketplace or by
using the process described in Add Log Analytics solutions from the Solutions Gallery. The
solution will start collecting data with no further configuration. However, you can use the
below configuration to customize the data being collected.
Configuring the solution
The configuration button on the solution dashboard will open the solution configuration
page. There are 2 types of configuration changes that you can make:
1. Whitelisted Domain Names: The solution does not process all the lookup
queries. It maintains a whitelist of domain name suffixes. The lookup queries
which resolve to the domain names matching with the domain name suffixes in
this whitelist are not processed by the solution. This helps in optimizing the data
uploaded to OMS. The default whitelist includes popular public domain names
(such as www.google.com, www.facebook.com etc.). You can view the complete
default list by using the scroll bar.
You can choose to modify the list to add (or remove from the existing list) any
domain name suffix for which you aren’t interested to view the lookup insights.
2. Talkative Client Threshold: The DNS clients, which exceed the threshold for the
number of lookup requests, are highlighted in the DNS CLIENTS blade (3rd blade
on the solution dashboard). The default threshold is 1000. You can choose to edit
this threshold
Using the solution
This section explains all the dashboard functions and how to use them.
Solution Overview tile
After you've enabled the DNS Analytics solution, the solution tile on the OMS Overview
page provides a quick summary of your DNS infrastructure- the number of DNS servers
from which the data is being collected and the number of requests made by clients to
resolve malicious domains in the past 24 hours. When you click the tile, it opens the
solution dashboard.
Solution Dashboard
The solution dashboard shows summary information for the various features of the
solution along with links to the detailed view for forensic analysis and diagnosis. By
default, the data is shown for the last 7 days. The date and time range can be changed
from the date-time selection control shown in the image below.
The solution dashboard shows the following 6 blades:
DNS Security blade reports the DNS clients which are trying to communicate with
malicious domains.
Domains Queried blade provides a view into the domains being frequently queried by
the DNS clients.
DNS Clients blade higjlights the clients making the most number of queries. The upper
tile displays the total number of clients which have exceeded the threshold for the
number of requests.
Dynamic DNS Registrations blade reports the name registration failures. All the
registration failures for address resource records (Type A and AAAA) are highlighted
along with the Client IPs that made the regisration requests.
Name registration requests blade- The upper tile shows a trend of successful and failed
DNS dynamic update request count. The lower tile lists top 10 clients sending failed
DNS update requests to the DNS servers (sorted by number of failures.
The Sample DNS Analytics Queries blade contains a list of most common search queries
that fetch raw analytics data directly.
You can use these queries as a starting point for creating your own queries for
customized reporting.
a. List of servers: This link navigates to the DNS Log search page where a list of all
DNS servers with their associated FQDN, Domain name, Forest name and Server
IPs is shown
b. List of DNS zones: This link navigates to the DNS Log search page where a list of
all DNS zones with the associated zone name, dynamic update status, name
servers and DNSSEC signing status is shown
c. Unused resource records: This link navigates to the DNS Log search page where a
list of all the unused/stale resource records is shown. This list contains the
resource record name, resource record type, the associated DNS server, record
generation time and the zone name. You can use this list to identify the DNS
resource records that are no longer in use. Based on this information, you can
then take an action to remove those entries from the DNS servers.
d. DNS servers query load: This link navigates to the DNS Log search page where
you can see the DNS query per second statistics of all the DNS servers being
managed by the solution. Clicking on the Metrics tab will change the view from
detailed records to a graphical visualization of the results
e. DNS zones query load: This link navigates to the DNS Log search page where you
can see the DNS zone query per second statistics of all the zones on the DNS
servers being managed by the solution. Clicking on the Metrics tab will change
the view from detailed records to a graphical visualization of the results
f. Configuration events: This link navigates to the DNS Log search page where you
can see all the DNS configuration change events and associated messages. You
can then filter these events based on time of the event, event ID, DNS server or
task category. It will help you audit what changes were made on which DNS
servers at what time.
g. DNS analytical log: This link navigates to the DNS Log search page where you can
see all the analytic events on all the DNS servers managed by the solution. You
can then filter these events based on time of the event, event ID, DNS server,
client IP that made the lookup query and query type task category. DNS server
analytic events enable activity tracking on the DNS server. An analytic event is
logged each time the server sends or receives DNS information.
DNS Log Search
On the Search page, you can create a query, and then when you search, you can filter
the results by using facet controls. You can also create advanced queries to transform,
filter, and report on your results. You can start by the 2 queries mentioned below-
1. In the search query field, type Type=DnsEvents to view all the DNS events
generated by the DNS servers managed by the solution. This will list down the
log data for all events related to lookup query, dynamic registration and
configuration change.
To view the log data for lookup query, filter for SubType as ‘LookUpQuery’
from the LHS facet control. A list/table containing the lookup query events
for the selected time period will be displayed:
To view the log data for Dynamic Registrations, filter for SubType as
‘DynamicRegistration’ from the LHS facet control. A list/table containing all
the Dynamic Registrations event will be displayed for the selected time-
period:
To view the log data for Configuration changes, filter for SubType as
‘ConfigurationChange’ from the LHS facet control. A list/table containing
all the Configuration changes event will be displayed for the selected time-
period:
2. In the search query field, type Type=DnsInventory to view all the DNS inventory
related data for the DNS servers managed by the solution. This will list down the
log data for DNS servers, DNS zones and resource records.
Next Steps Search logs to view detailed DNS log records