Microsoft DNS Server

Version: Windows server 2008 R2 and later.

A DNS server hosts the information that enables client computers to resolve memorable, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.

Netsurion's Open XDR platform supports Windows DNS Server. It monitors configuration changes, policy changes, creation, deletion and modification in resource records and zones. It also generates alert for changes in configuration, deletion of zones and resource records and also when DNS server services is down.

Netsurion's Open XDR platform intelligent in-depth monitoring of DNS logs helps you to detect the access of malicious site from client machine. Netsurion's Open XDR platform compares the DNS queries generated by DNS client with malicious site database (periodically updated) and generates alert about the client which accessed it. it also gives geological information about that malicious site (IP,Country).

Netsurion's Open XDR platform is capable to detect the access of DGA (Domain generated algorithm) domains which are used as command controls for malware. Netsurion's Open XDR platform statistics monitoring of query, client,record type and error will help you to detect many DDOS attacks like (NXDOMAIN attack, Phantom domain attack, Random sub-domain attack,etc). Netsurion's Open XDR platform monitoring of client DNS setting will help to detect DNS hijacking and generate alert for suspicious DNS setting of client which gives information about client as well as it's DNS setting. Netsurion's Open XDR platform flex dashboard helps you correlate attack detection data and client details which eases the detection of attack.

Netsurion Data Source Integrations for Microsoft DNS Server allows you to monitor the following:-

  • Security - DNS record resolution activities,Suspicious DNS setting, DGA Detection and malicious site detection.
  • Compliance - DNS server configuration.
  • Operations - changes in zones and resource records and DNS service down.

Once logs are received in to Netsurion, Alerts and reports can be configured into Netsurion.

Some of the Data Source Integrations available in Netsurion are listed below.

Alerts

Type Name Description
Security Microsoft DNS - Object deletion in zone This alert is generated when zones or resource records are deleted.
Security Microsoft DNS - Name resolution failed This alert is generated when DNS server fails to resolve the FQDN.
Security Microsoft DNS - Malformed domain detected This alert is generated when EventTracker detect malformed (typosquatted) domains from queries in the DNS logs.
Security Microsoft DNS - Snort high priority alert generated This alert is generated when Snort detected high priority alerts for DNS.
Security Microsoft DNS - DGA domain detected This alert is generated when EventTracker detect DGA(Domain generated algorithm) domains from DNS logs.
Security Microsoft DNS - Suspicious DNS settings detected This alert is generated when DNS setting of client is other than recommended settings.
Security Microsoft DNS - Malicious domain detected This alert is generated when malicious domain are detected from DNS logs.
Operations Microsoft DNS - Service down This alert is generated when DNS server is down.
Operations Microsoft DNS - High DNS server latency detected This alert is generated when latency of DNS server is greater than threshold value.
Operations Microsoft DNS - High error query count detected for domain This alert is generated when error query count is greater than threshold for a particular domain.
Operations Microsoft DNS - High error query count detected for type This alert is generated when error query count is greater than threshold for a particular record type.
Operations Microsoft DNS - High error query count detected from client This alert is generated when error query count is greater than threshold for a particular client.
Operations Microsoft DNS - High query count detected for record type This alert is generated when successfully query count is greater than threshold for a particular record type.
Operations Microsoft DNS - High query count detected from client This alert is generated when successfully query count is greater than threshold for a particular client.
Operations MicrosoftDNS - High query count detected from domain This alert is generated when successfully query count is greater than threshold for a particular domain.
Compliance Microsoft DNS - Configuration changes This alert is generated when configuration changes happens in Microsoft DNS Server.

Reports

Type Name Description
Security Microsoft DNS - Name resolution successfully This report provides information related to FQDN or IP address, query type (forward lookup or reverse), status of query when the query is successfully resolved from DNS Server.
Security Microsoft DNS - Name resolution failed This report provides information related to FQDN or IP address, query type (forward lookup or reverse), status of query when the query fails to resolve from DNS Server.
Security Microsoft DNS(2012) - Name resolution successfully This report provides information related to FQDN or ip address, query type(forward lookup or reverse), status of query when query successfully resolved from DNS Server.
Security Microsoft DNS(2012) - Name resolution failed This report provides information related to FQDN or ip address, query type(forward lookup or reverse), status of query when query fail to resolve from DNS Server.
Security Microsoft DNS - Malicious domain detection details This report provides information related to detection of malicious domain from DNS logs. it gives information about malicious domain, client trying to access, it's record type and when client trying to access it.
Security Microsoft DNS - Malformed domain detection details This report provides information related to detection of malformed domain from DNS logs. It gives information about malformed domain, method of creation typosquatted methods), client trying to access such domain and it's geological details.
Security Microsoft DNS - Suspicious dns settings detection details This report provides information related to suspicious client DNS setting. it gives information for client having suspicious DNS setting and it's DNS settings.
Security Microsoft DNS - DGA domain detection details This report provides information related to detection of DGA domains form DNS logs. it gives information for DGA domain details(FQDN and it's IP) and client details.
Security Microsoft DNS - Least resolved domain details This report provides information about least resolved domain in a network. it gives information for least domains resolved from DNS server and client details.
Security Microsoft DNS - Server latency details This report provides information about latency of provided DNS (private and public DNS). It gives information for DNS server and it's latency.
Operations Microsoft DNS - Zone creation, deletion and updating This report provides information related to zone name and its setting details (like lookup type, replication scope, etc) when zones are created, deleted or modified.
Operations Microsoft DNS - Error type count details This report provides information about error queries count for a particular error type. it gives details of error type and count of query for it.
Operations Microsoft DNS - Error client count details This report provides information about error queries count for a particular client. It gives details of client IP address and count of query for it.
Operations Microsoft DNS - Summary client count details This report provides information about successfully query count for a particular client. it gives details of client IP address and count of query for it.
Operations Microsoft DNS - Summary query count details This report provides information about successfully query for a particular FQDN resolution request. it gives details of FQDN query requested and it's count.
Operations Microsoft DNS - Error query count details This report provides information about error query for a particular FQDN resolution request. it gives details of FQDN query requested and it's count.
Operations Microsoft DNS - Traffic details This report provides information about all query request to DNS server. it gives details of query request (FQDN, record type) and client details (IP address).
Operations Microsoft DNS - Summary record type details This report provides information about successfully query for a particualr record type. it gives details of record type requested and count of queries.
Compliance Microsoft DNS - Configuration changes This report provides information related to configuration changes that happen in Microsoft DNS Server and also by whom.
Compliance Microsoft DNS - Resource record creation and deletion This report provides information related to query name, zone and scope details and TTL values of creation or deletion of resource records.

Documentation:

The configurations detailed are consistent with Netsurion version 8.x and later, windows server 2008 and later.

Download Integration Guide and How-to Guide for more information and to configuration instructions.

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.

I Accept