Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Security Features Nobody Implements SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security Features Nobody Implements
Windows is an ugly mess for DNS particularly if you chain them. You need some way to aggregate the logs from every DNS server so you can track the traffic from source to destination. We do it with a Splunk agent on each DNS server. But then you have to write a rule to look for no traffic from each server because they seem to have a tendency to stop logging.

And if you're not doing HTTPS decryption yet, be afraid, very afraid: https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/

Yep, the most hacked web platform in the world is now going full HTTPS
Anonymous
<duplicated post deleted>
Anonymous
I'll add a +1 to this question. I have discussed it with our internal AD experts, one of which I definitely am not. As they explained the problem to me, MS DNS does not provide a means for generating normal, every day, operational logs. The only logs available are considered debug logs, and MS recommends against turning those on except for short, dedicated debugging sessions, because the logging causes performance problems. If anyone is a ware of a good way to capture DNS logs in an MS DNS environment, I would be grateful if you would share your knowledge.
John

13 Posts
Here was what i found that was close to what one would like. Besides MS DNS logs to flat file, not exactly great for forwarding out of the box.
http://www.zedlan.com/documentation-windnsloganalyser.php
Anonymous

Sign Up for Free or Log In to start participating in the conversation!