Windows DNS (Channel / Debug Json logs)

  • Published on Dec 16, 2025
Prev Next

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Windows DNS Channel Logs

windows_dns_channel_logs

NDJSON

S3

Windows DNS Debug Logs JSON

windows_dns_debug_logs_json

NDJSON

S3

Overview

Windows DNS logs provide a comprehensive record of Domain Name System activity on a server, which is crucial for both security monitoring and network troubleshooting. These logs capture essential details about DNS queries and responses, including the timestamp, source IP address of the client, the domain name queried, query type (A, AAAA, MX, TXT records), and the server's response code and resolved IP address.

Analysing this data helps administrators detect potential security threats such as malware command-and-control (C2) communications, data exfiltration via DNS tunneling (often indicated by unusual query types like TXT records or long query lengths), and network attacks such as cache poisoning or Denial of Service (DoS) attempts. Windows Server offers two primary logging methods. The modern Analytical event logs (found in Applications and Services Logs\Microsoft\Windows\DNS-Server\Analytical) are recommended for ongoing monitoring due to their low performance impact.

Legacy Debug logging is file-based, providing very detailed packet-level information useful for specific incident response, but may impact server performance. Audit logs track configuration changes to the DNS server, while analytical and debug logs focus on actual DNS transactions, providing visibility into network behaviour that other logs might miss. Integrating these logs with Hunters further enhances analysis capabilities, enabling advanced filtering, alerting, and visualisation of potential issues.

Supported data types

Windows DNS Channel Logs

Table name: windows_dns_channel_logs

Windows DNS Channel logs are specialized event logs generated by the DNS Server service and categorized into different channels within Event Viewer. The main channels include Audit and Analytical. The Audit channel records security-related events such as DNS zone and record changes, and is typically enabled by default. The Analytical channel provides detailed, high-volume diagnostic data about DNS query processing and internal server operations. This channel is disabled by default and must be enabled manually for deep troubleshooting. These channels leverage the ETW infrastructure, allowing administrators to monitor, diagnose, and audit DNS server activity efficiently.

Windows DNS Debug Logs JSON

Table name: windows_dns_debug_logs_json

Before the introduction of DNS Analytical logs, DNS debug logging was used to monitor DNS transactions. Unlike Analytical logs, debug logging captures extremely detailed information about all DNS data sent and received by the server, similar to packet capture tools. Because debug logging can affect server performance and consume significant disk space, it is recommended to enable it only temporarily when detailed DNS transaction information is needed.

Send data to Hunters

Hunters supports the ingestion of Windows DNS logs via an intermediary AWS S3 bucket.

To connect Microsoft Windows DNS logs:

  1. Export your logs from Microsoft-Windows-DNS to an AWS S3 bucket following this guide:

    1. Know what you’re exporting (Windows DNS has 2 common log types)

    2. DNS Debug log

      1. File is typically: %windir%\system32\dns\dns.log

      2. Enabled/configured in DNS Manager → Server Properties → Debug Logging (resource intensive; usually temporary).

    3. DNS Server Event channels (Windows Event Log)

      1. Audit channel: Microsoft-Windows-DNS-Server/Audit (enabled by default per Microsoft).

      2. Analytical channel: Microsoft-Windows-DNS-Server/Analytical (disabled by default; stored as an .etl under %SystemRoot%\System32\Winevt\Logs\...Analytical.etl).

    4. Microsoft’s step-by-step for enabling the Analytical channel is in that DNS logging/diagnostics article (Event Viewer → Show Analytic and Debug Logs → enable Analytical).

  2. Export the DNS “channel logs” (Audit/Analytical) to files

  3. On Windows, the standard CLI tool for exporting event logs is wevtutil, e.g. wevtutil epl <LogName> <path.evtx>. 

    $OutDir = "C:\dns-log-export"
New-Item -ItemType Directory -Force -Path $OutDir | Out-Null

# Audit (usually enabled)
wevtutil epl "Microsoft-Windows-DNS-Server/Audit" "$OutDir\DNS-Audit.evtx"

# Analytical (only if you enabled it in Event Viewer per MS doc)
wevtutil epl "Microsoft-Windows-DNS-Server/Analytical" "$OutDir\DNS-Analytical.evtx"

  4. Export the DNS Debug log file (dns.log)

    1. If you enabled Debug Logging, just copy the file (and consider compressing it):

      Copy-Item "$env:windir\System32\dns\dns.log" "C:\dns-log-export\dns.log" -ErrorAction SilentlyContinue

  5. Upload to your S3 bucket (AES / SSE-S3 or SSE-KMS)

    1. S3 encrypts new uploads by default with SSE-S3 (AES-GCM) since Jan 5, 2023, unless your org enforces something else.

    2. If your bucket policy requires explicit headers, the AWS CLI s3 cp supports --sse AES256 or --sse aws:kms.

  6. Upload example (AWS CLI)

    $Bucket = "s3://YOUR-BUCKET/prefix/windows-dns/$env:COMPUTERNAME/"
aws s3 cp "C:\dns-log-export\" $Bucket --recursive --sse AES256

  7. AWS has official CLI examples for S3 transfers here.

  8. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

Windows DNS Channel logs

{
  "date": 1765868107.510836,
  "ProviderName": "Microsoft-Windows-DNS-Server-Service",
  "Level": 4,
  "ProviderGuid": "{11A111F5-AAAA-AAAA-886B-B5EAAA026AAE}",
  "Qualifiers": "",
  "EventID": 5504,
  "Version": 0,
  "UserID": "UserID\\SYSTEM",
  "Task": 0,
  "TimeCreated": "2025-12-15 22:55:05 -0800",
  "EventRecordID": 776344831233284,
  "ActivityID": "",
  "RelatedActivityID": "",
  "ThreadID": 6488,
  "Channel": "DNS Server",
  "Computer": "HOSTNAME.example.com",
  "StringInserts": [
    "X.X.X.X",
    "FYAAAAAAN0022JNAAAAAJ889"
  ],
  "Message": "The DNS server encountered an invalid domain name in a packet from X.X.X.X. The packet will be rejected. The event data contains the DNS packet.",
  "ProcessID": 4092,
  "Keywords": "0x8000000000000001",
  "Opcode": 0,
  "client_hostname": "HOSTNAME",
  "client_forwarder_agent": "example-agent"
}

Windows DNS debug logs JSON

{
  "date": 1764720594.235422,
  "SendReceiveIndicator": "Snd",
  "RemoteIP": "1.1.1.1",
  "QuestionType": "A",
  "QFlagsRaw": "[0000  AA DOMAIN]",
  "EventTime": "2025-11-19 18:58:13",
  "ThreadId": "123345qwert",
  "Opcode": "Q",
  "Raw": "",
  "QuestionName": "example.com",
  "Regular": true,
  "InternalPacketIdentifier": "123abc",
  "QueryType": "response",
  "Xid": "12we",
  "Context": "PACKET",
  "Protocol": "UDP",
  "client_hostname": "xxxx",
  "client_forwarder_agent": "xxxx"
}