DNS Logging Configuration on a Windows Server

Configuration Guide

Updated May 25, 2023

DNS Logging Configuration on a Windows Server

Overview Direct link to this section

This document describes how to configure a Windows server to log DNS packets.

Before you begin Direct link to this section

This process uses dnscmd.exe to configure the Windows DNS server component to use write-through transactions when logging. The suggested /loglevel flag lets DNS packets log immediately to disk. If you change the DNS server logging settings through the Microsoft Management Console (MMC) user interface, this setting is reverted and log lines are not immediately written, potentially causing delays in incident detection.

To further adjust Windows DNS server logging after completing this procedure, use dnscmd.exe /config in conjunction with the Microsoft TechNet article to preserve the write-through transaction value (0x80000000) or contact your CST for additional assistance.

Configure DNS logging for a Windows Server Direct link to this section

  1. From the Start menu, open PowerShell with administrative privileges.

  2. Run the following command in PowerShell to enable DNS packet logging with write-through transactions:

    dnscmd /config /loglevel 0x8000F301

  3. Run the following command in PowerShell to set the maximum size of the DNS log file to 200 megabytes (MB):

    dnscmd /config /logfilemaxsize 0xC800000

  4. Close the PowerShell window. DNS logs are now written to %SYSTEMROOT%\System32\dns\dns.log. The %SYSTEMROOT% variable is your Windows directory, such as C:\WINDOWS.

Validate the configuration through the MMC Direct link to this section

Note: We do not recommend changing the log settings in MMC.

  1. From the Start menu, open Administrative Tools, and then click DNS to open the DNS management console.

    Tip: On previous Windows Server versions, click Start > All Programs > Administrative Tools > DNS.

  2. From the tree view, expand your DNS server, and then right-click the server to select Properties.

  3. Click the Debug Logging tab and confirm that these settings are selected:

    • Log packets for debugging
    • Packet direction — Outgoing and Incoming
    • Transport protocol — UDP and TCP
    • Packet contents — Queries/Transfers
    • Packet type — Request and Response

  4. Click Cancel to avoid saving any changes.

  5. Close the DNS Manager window.

You have now successfully configured your Windows server to log DNS packets.

Proceed with AD Sensor installation Direct link to this section

To continue with Active Directory (AD) Sensor installation, go to Active Directory Sensor Installation.