Microsoft DNS Server
Version: Windows server 2008 R2 and later.
A DNS server hosts the information that enables client computers to resolve memorable, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.
Netsurion’s Open XDR platform supports Windows DNS Server. It monitors configuration changes, policy changes, creation, deletion and modification in resource records and zones. It also generates alert for changes in configuration, deletion of zones and resource records and also when DNS server services is down.
Netsurion Open XDR intelligent in-depth monitoring of DNS logs helps you to detect the access of malicious site from client machine. Netsurion Open XDR compares the DNS queries generated by DNS client with malicious site database (periodically updated) and generates alert about the client which accessed it. it also gives geological information about that malicious site (IP,Country).
Netsurion Open XDR is capable to detect the access of DGA (Domain generated algorithm) domains which are used as command controls for malware. Netsurion Open XDR statistics monitoring of query, client,record type and error will help you to detect many DDOS attacks like (NXDOMAIN attack, Phantom domain attack, Random sub-domain attack,etc). Netsurion’s Open XDR platform monitoring of client DNS setting will help to detect DNS hijacking and generate alert for suspicious DNS setting of client which gives information about client as well as it’s DNS setting. Netsurion Open XDR flex dashboard helps you correlate attack detection data and client details which eases the detection of attack.
Netsurion Data Source Integrations for Microsoft DNS Server allows you to monitor the following:-
- Security – DNS record resolution activities,Suspicious DNS setting, DGA Detection and malicious site detection.
- Compliance – DNS server configuration.
- Operations – changes in zones and resource records and DNS service down.
Once logs are received into Netsurion Open XDR; alerts and reports can be configured into Netsurion Open XDR.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | Microsoft DNS – Object deletion in zone | This alert is generated when zones or resource records are deleted. |
| Security | Microsoft DNS – Name resolution failed | This alert is generated when DNS server fails to resolve the FQDN. |
| Security | Microsoft DNS – Malformed domain detected | This alert is generated when EventTracker detect malformed (typosquatted) domains from queries in the DNS logs. |
| Security | Microsoft DNS – Snort high priority alert generated | This alert is generated when Snort detected high priority alerts for DNS. |
| Security | Microsoft DNS – DGA domain detected | This alert is generated when EventTracker detect DGA(Domain generated algorithm) domains from DNS logs. |
| Security | Microsoft DNS – Suspicious DNS settings detected | This alert is generated when DNS setting of client is other than recommended settings. |
| Security | Microsoft DNS – Malicious domain detected | This alert is generated when malicious domain are detected from DNS logs. |
| Operations | Microsoft DNS – Service down | This alert is generated when DNS server is down. |
| Operations | Microsoft DNS – High DNS server latency detected | This alert is generated when latency of DNS server is greater than threshold value. |
| Operations | Microsoft DNS – High error query count detected for domain | This alert is generated when error query count is greater than threshold for a particular domain. |
| Operations | Microsoft DNS – High error query count detected for type | This alert is generated when error query count is greater than threshold for a particular record type. |
| Operations | Microsoft DNS – High error query count detected from client | This alert is generated when error query count is greater than threshold for a particular client. |
| Operations | Microsoft DNS – High query count detected for record type | This alert is generated when successfully query count is greater than threshold for a particular record type. |
| Operations | Microsoft DNS – High query count detected from client | This alert is generated when successfully query count is greater than threshold for a particular client. |
| Operations | MicrosoftDNS – High query count detected from domain | This alert is generated when successfully query count is greater than threshold for a particular domain. |
| Compliance | Microsoft DNS – Configuration changes | This alert is generated when configuration changes happens in Microsoft DNS Server. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | Microsoft DNS – Name resolution successfully | This report provides information related to FQDN or IP address, query type (forward lookup or reverse), status of query when the query is successfully resolved from DNS Server. |
| Security | Microsoft DNS – Name resolution failed | This report provides information related to FQDN or IP address, query type (forward lookup or reverse), status of query when the query fails to resolve from DNS Server. |
| Security | Microsoft DNS(2012) – Name resolution successfully | This report provides information related to FQDN or ip address, query type(forward lookup or reverse), status of query when query successfully resolved from DNS Server. |
| Security | Microsoft DNS(2012) – Name resolution failed | This report provides information related to FQDN or ip address, query type(forward lookup or reverse), status of query when query fail to resolve from DNS Server. |
| Security | Microsoft DNS – Malicious domain detection details | This report provides information related to detection of malicious domain from DNS logs. it gives information about malicious domain, client trying to access, it’s record type and when client trying to access it. |
| Security | Microsoft DNS – Malformed domain detection details | This report provides information related to detection of malformed domain from DNS logs. It gives information about malformed domain, method of creation typosquatted methods), client trying to access such domain and it’s geological details. |
| Security | Microsoft DNS – Suspicious dns settings detection details | This report provides information related to suspicious client DNS setting. it gives information for client having suspicious DNS setting and it’s DNS settings. |
| Security | Microsoft DNS – DGA domain detection details | This report provides information related to detection of DGA domains form DNS logs. it gives information for DGA domain details(FQDN and it’s IP) and client details. |
| Security | Microsoft DNS – Least resolved domain details | This report provides information about least resolved domain in a network. it gives information for least domains resolved from DNS server and client details. |
| Security | Microsoft DNS – Server latency details | This report provides information about latency of provided DNS (private and public DNS). It gives information for DNS server and it’s latency. |
| Operations | Microsoft DNS – Zone creation, deletion and updating | This report provides information related to zone name and its setting details (like lookup type, replication scope, etc) when zones are created, deleted or modified. |
| Operations | Microsoft DNS – Error type count details | This report provides information about error queries count for a particular error type. it gives details of error type and count of query for it. |
| Operations | Microsoft DNS – Error client count details | This report provides information about error queries count for a particular client. It gives details of client IP address and count of query for it. |
| Operations | Microsoft DNS – Summary client count details | This report provides information about successfully query count for a particular client. it gives details of client IP address and count of query for it. |
| Operations | Microsoft DNS – Summary query count details | This report provides information about successfully query for a particular FQDN resolution request. it gives details of FQDN query requested and it’s count. |
| Operations | Microsoft DNS – Error query count details | This report provides information about error query for a particular FQDN resolution request. it gives details of FQDN query requested and it’s count. |
| Operations | Microsoft DNS – Traffic details | This report provides information about all query request to DNS server. it gives details of query request (FQDN, record type) and client details (IP address). |
| Operations | Microsoft DNS – Summary record type details | This report provides information about successfully query for a particualr record type. it gives details of record type requested and count of queries. |
| Compliance | Microsoft DNS – Configuration changes | This report provides information related to configuration changes that happen in Microsoft DNS Server and also by whom. |
| Compliance | Microsoft DNS – Resource record creation and deletion | This report provides information related to query name, zone and scope details and TTL values of creation or deletion of resource records. |
Documentation
The configurations detailed are consistent with Netsurion Open XDR 8.x and later, Windows Server 2008 and later.
Download Integration Guide and How-to Guide for configuration instructions and more information.