This article explains how to ingest your on-premise Windows DNS Debug Logs to Hunters. These logs hold information on DNS queries (including the queried domain), from Windows Servers in which this role is enabled. Such information is important for Enterprise security coverage and can help in revealing malicious communication.
For Hunters to integrate with your on-prem Windows DNS Debug Logs, the logs should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.
In each log file, the events should be separated by a new-line, where each event has a standard format as in the following example:
4/20/2021 20:04:21 PM 09B0 PACKET 00000000014E0010 UDP Snd 192.168.1.200 3122 R Q [8081 DR NOERROR] A (7)hunters(2)ai(0)