Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, March 9, 2017 8:43 AM
Hi,
I am running the DNS Server Service on Windows 2008 R2. I would like to fetch DNS query logs using ETW. The available providers can be found by issuing the command
logman.exe query providers
So far I tried with:
- Microsoft-Windows-DNS-Client
- Microsoft-Windows-DNS-Server-Service
- DNS Server Trace Provider
But neither of these providers gives me the query logs. I know that one way would be to enable debug on DNS Server Service properties, but I prefer ETW because will allow me to parse and ship the jobs directly to the log server.
I could use Microsoft-Windows-TCPIP but is too noisy and the selection of DNS traffic might be problematic or prone to error.
Any ideas or thoughts over how could I go about this?
Thanks!
All replies (4)
Monday, March 13, 2017 1:11 AM âś…Answered
Hi,
You could use network monitor to catch DNS traffic.
Please click link below to download it:
https://www.microsoft.com/en-us/download/details.aspx?id=4865
Best Regards
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 10, 2017 4:44 AM
Hi Panagiotis,
You could use tracelog command to achive the goal, and please check link below to understand tracelog command:
Tracelog Command Syntax
https://msdn.microsoft.com/windows/hardware/drivers/devtest/tracelog-command-syntax
And here is additional information about DNS events on windows server 2012 for your reference:
https://technet.microsoft.com/en-us/library/dn800669(v=ws.11).aspx
Best Regards
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 10, 2017 8:00 AM
Hi John,
Thanks for the reply.
Do you have any hints on which provider to use with in order to capture DNS queries and responses? I don't see support for filtering based on port number and identifying DNS packets at TCP level is tricky.
Monday, March 13, 2017 3:14 PM
Thanks!