Microsoft DNS

The Microsoft Domain Name Server (DNS) produces audit logs that identify resources from your company that are connected to the internet or your private network, and translate domain names to IP addresses.

DNS, along with firewall, web proxy, and other outbound traffic-based event sources, helps InsightIDR identify cloud services that your organization uses and provides additional context around outbound traffic and network activity.

You can configure this event source using two methods:

  • Configure with a Domain Account: Use this method if you want to collect logs using a Domain account with read privileges on the remote share.
  • Configure with NXLog: Use this configuration method if you don’t want to use a Domain Admin account to collect logs.

Configure with a Domain Account

Microsoft DNS will write its audit logs to a specific folder on your network. Make sure that this folder is available as a network share and has a read-only credential.

In order to collect the audit logs from Microsoft DNS, you must:

  1. Collect DNS Server Logs
  2. Choose a Collection Method

Step 1: Collect DNS Server Logs

In order to collect server logs, you must configure the destination folder and log file with logging abilities. Rapid7 recommends that the folder for DNS logging resides on the root (C) drive of the server that hosts the DNS. For example, C:\dnslogs

To allow the InsightIDR collector to incorporate logs from DNS:

  1. Navigate to your DNS server manager and create a folder for the DNS logs.

C:\dnslogs is the recommended directory for storing DNS logs.

  1. Right click the folder and select Properties from the drop-down menu.
  2. In the “Properties” window, select the Sharing tab and then click the Advanced Sharing button.
  1. In the “Advanced Sharing” window, check on the Share this folder box and then click the Permissions button.
  1. In the “Share Permissions” window, click the Add button and provide the credential that accesses this file.

Make a note of this username and credential for later use during DNS configuration in InsightIDR.

  1. To enable logging onto the DNS server, right click your DNS server in the DNS Manager and select the Properties option from the drop-down menu.
  1. Select the Debug Logging tab and check on the Log packets for debugging box. The remaining checkboxes can keep their default values.
  1. In the “Log file” section, enter the shared directory that you created in previous steps. For example, \\dns1.mycompany.cpm\dnslogs\dns.log
  2. Click the Apply button to save the configuration, and then click the OK button to finish.

Step 2: Choose a Collection Method

After configuring your DNS logs on the network share, you can collect the audit logs in one of two ways with InsightIDR:

Rapid7 recommends Watch Directory or NXLog

We recommend that you collect logs using the Watch Directory method or the NXLog method with log file rotation instead of Tail File. The Watch Directory and NXLog methods are more reliable in most environments. When collecting logs with Tail File, the Microsoft DNS Server creates a single file. When this file reaches the maximum configured size, the DNS Server clears the file. This can cause issues when InsightIDR reads the file.

Watch Directory

After you have completed the instructions to Collect DNS Server Logs, you can enable log file rotation and log retention as well as collect the logs with Watch Directory. To do this, you must complete the following tasks:

  1. Enable Log File Rotation
  2. Configure DNS in InsightIDR

Enable log file rotation

To enable log file rotation on your DNS server:

  1. Open a PowerShell command prompt as Administrator on the DNS server.
  2. Run the command: Set-DNSServerDiagnostics -EnableLogFileRollover $true
  3. Verify that the DNS logging settings are correct by using the command: Get-DnsServerDiagnostics

Instead of a single dns.log file in the original location, you will see a new DNS log file with a timestamp inserted into the name.

If the logs have retention set up and are set to roll over properly, you should expect to see DNS Logs generated within the shared directory created in previous steps.

The final configuration should look similar to this:

Enable Log File Deletion (Optional)

You may also want to enable the deletion of the old DNS logs so that they do not fill up the hard drive of the DNS server. This command will need to be set up with a Scheduled Task or Cron Job to run on a periodic basis as this is a single task command that must run on a schedule. The following command will delete anything that is two days or older within the directory: Get-ChildItem C:\locallogs\dnslogs | where LastWriteTime -lt ((Get-Date).AddDays(-2)) | Remove-Item

Configure DNS in InsightIDR

To collect DNS audit logs using the Watch Directory collection method in InsightIDR:

  1. From your dashboard, select Data Collection from the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the DNS icon. The “Add Event Source” panel appears.
  4. Choose your collector and select Microsoft DNS from the dropdown. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select Watch Directory as your collection method.
  8. Provide the folder path to the network share you configured.
  9. Enter a scan interval in seconds.
  10. Optionally specify the file pattern for InsightIDR to watch for. The file pattern dns*.log should suffice, or you can leave the file pattern box empty for full visibility.
  11. Click the Save button.

Tail File

You can configure InsightIDR to collect DNS audit logs using the Tail File method after completing the setup on your DNS server.

To do so:

  1. From your dashboard, select Data Collection from the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the DNS icon. The “Add Event Source” panel appears.
  4. Choose your collector and select Microsoft DNS from the dropdown. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Select Tail File as your collection method.
  8. Provide the folder path to the network share you configured using UNC notation and includes the filename for the tail file, such as \\dns1.mycompany.cpm\dnslogs\dns.log
  9. Click the Save button.

Configure With NXLog

If you do not wish to create a file share on your DNS server, collecting and sending the logs with NXLog is an option. To use NXLog, you install it on the DNS server. NXLog will read the DHCP logs and send them to your InsightIDR Collector using Syslog. To configure with NXLog:

  1. Download and install NXLog. For instructions on how to do this, see the NXLog page.
  2. Enable Log File Rotation on your DNS server. For instructions on how to do this, see the Enable Log File Rotation section of the Microsoft DNS page.
  3. From your InsightIDR dashboard, select Data Collection on the left menu.
  4. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  5. From the Security Data section, click the DNS icon. The Add Event Source panel appears.
  6. Choose your collector.
  7. Select Microsoft DNS as your event source and give it a descriptive name.
  8. Choose the time zone that matches the location of your event source logs.
  9. Click the Listen for Syslog button.
  10. In the Port field, enter in a port you wish to use for this event source. You cannot use a port that you already use for another event source.
  11. For Protocol, use either UDP or TCP. Although this event source supports both protocols, be aware that NXLog must be configured to send logs using the protocol you select.
  12. Click Save.
  13. Follow the instructions in the Microsoft DNS section of the NXLog page to edit the nxlog.conf file to collect the Security Log and forward it to InsightIDR.