Windows 10: Sysmon update introduces DNS Query Logging

A new version of the Sysmon tool will be released on Tuesday 11, 2019 that introduces DNS query logging to the Windows system monitor.

Mike Russinovich, the creator of the tool and Microsoft Azure CTO, teased the new feature in a message on Twitter on June 8, 2019.

The system monitor Sysmon extends the functionality of the Windows Event log by monitoring the system for certain events and writing them to the event log.

Tip: check out our review of Sysmon 5 to get a better understanding of the free application.

Sysmon: dns query logging




The next Sysmon release introduces support for DNS query logging. Russinovich published a screenshot on Twitter that showcases the new feature. The screenshot shows logged DNS queries and information about one of the logged queries.

Particularly interesting is the linking of the query to a specific executable on the system and that DNS query responses are logged as well. The value of "Image" reveals the program the query initiated from.

The Windows Event Log supports the logging of DNS queries but it needs to be enabled first before Windows starts logging these events, and does not highlight the executable file that initiated the query.

Here is how you enable DNS logging on Windows:

1. Use Windows-R to open the run box on the system.
2. Type eventvwr.msc and tap on the Enter-key to load the Event Viewer.
3. Navigate the following path: Applications and Service Logs > Microsoft > Windows > DNS Client Events > Operational
4. Right-click on Operational, and select Enable Log.

Closing words


The new Sysmon feature improves DNS query logging on Windows. Especially the logging of executable filenames and paths should be welcome as it makes it easier to identify the programs a DNS query originated from.

Regularly going through the DNS query log could highlight programs that leak information potentially or are dangerous. The feature may also be useful when it comes to the logging of software installations or updates to verify what is happening in the background.

The new version of Sysmon will be published on Microsoft's Sysinternals website.

Now You: do you analyze DNS queries? (via Bleeping Computer)

Ghacks needs you. You can find out how to support us here (https://www.ghacks.net/support/) or support the site directly by becoming a Patreon (https://www.patreon.com/ghacks)). Thank you for being a Ghacks reader. The post Sysmon update introduces DNS Query Logging appeared first on gHacks Technology News.

read more...

 

DNS problems with router

A couple suggestions I have for you:

Update the firmware on the router. Maybe it's getting into a badstate, and a firmware update might fix it. Or if you're comfortable with it, install a custom firmware like dd-wrt. Just make sure its supported on your router first.

Change your DNS to: 8.8.8.8, 4.2.2.1. Might help.

If none of these work, maybe statically set your DNS on your PS3/PC to the IPs you listed, taking the router out of the lookup procedure.

Last option, is look for a new router.

 

Safe DNS Project

Fighting my first DDoS DNS amplification attack.

In the wee hours of the morning last night I was logging into my sister server that I also run the same project on. This server specifically is more than just a few numbers. This one has an actual domain name attached to it.

Upon logging in I discovered this.




Excited it was getting some use I glanced over at the users. Several domains and IPs were showing up. However something caught me off guard. The queries blocked had not changed much which is odd of DNS queries of this magnitude. The graph also took a different turn skyrocketing in what appeared to be minutes.

I decided to dig in to the query logs and found that these "users" were making thousands of queries a min to a domain called leth.cc. After a quick visit it appeared to be innocent enough, however it also didn't seem popular enough to warrant the connections.

I decided to take a further look and ran a search on the domain. someone else had also noted that they were getting thousands of DNS queries to the same domain. My first thought was that this might be some kind of gaming network. Possibly some kind of multiplayer card game or something. This still struck me as odd since they would certainly have there own infrastructure and would not rely on 3rd party DNS server like my own to support them. Looking into them further revealed they were nothing of the sort.

At this point I was looking at numbers around 1million. Then something occurred to me. This wasn't an oddity or a lucky send off for what could be a successful DNS service built from my desk. This was a reflection attack and I was sending thousands of unsolicited DNS queries to some random website.

Having already been in the middle of my company's maintenance window and working on company infrastructure on top of being exhausted I decided to do the only thing I had the energy left to do. I blocked the URL preventing the requests from reaching the host. While I was probably one one of hundreds or thousands of open DNS servers targeting this poor companies website I certainly wasn't going to let that statistic continue. My server wasn't breathing too heavy even with these numbers and legit queries weren't slowed, I black listed the site and started off to bed. My ending numbers looked like this.





In the morning the company is open for a few hours so I have a small window in which I don't need to worry about my infrastructure. I decided to take a look at DNS server to see what the damage was.

I don't have pictures but the attack had continued over night. from around 1:30AM EST to 8:30AM EST I had generated more than 5.3 million blocked queries 99% of them being this one domain.

By this time things had started to get bad. The system was still very much responsive but disk I/O was high causing all lookups to take an abnormally long time. almost a full second. This meant the browsing experience was slow since the cached lookups were having a hard time responding. The amount of queries coming in per second was causing expiration times to not matter. They were being added faster than they were being purged.

At tis point in time I had a choice. My upstream provider had not caught this and as such was not being filtered. I had blocked forwards to that specific domain so I was no longer contributing to whatever attack they may be under. However my own services were starting to suffer because of the attack.

A few things sprung to mind. This isn't MY particular area of security and as such I'm pretty inexperienced in the more advanced protections for DNS. Specifically provider level. The things that came to mind were:

• Disable IPV6 traversing on this server since thousands of requests were coming from IPV6 clients.
• Limit my EDNS packets to 512bytes (They normally carry LARGE data sets)
• Limit my query times per requestor
• Block ANY requests via DNS
• IDS/IPS blacklist hosts

All of this would help mitigate the issue however some of it was too deep for me to jump into right away given this service is currently providing for a few key test clients.

To temporarily fix this I had to change its nature from a free/open DNS service to a private service.

To do this I had to deny all port 53 (DNS) access on my firewall and instead get the specific IPs (thankfully static) of my clients and whitelist those as being able TO access port 53.

This worked immediately and queries dropped. However I now need to go into how to properly secure the server from being abused since I already make sure the clients are safe.

The internet is a scary place when you look at the logs. MAybe it was providing a domain name to the server itself that made it so easily found by bots?

THIS DID NOT AFFECT THE SERVER DISPLAYED ABOVE​

 

Safe DNS Project

Hey everyone! I am running a usability experiment to see how naive it might be to provide everyday users the ability to browse the internet in a safer manner.

To accomplish this I am running a public DNS server that is running Pi-Hole with extended definitions.

This experiment ties in directly with the guide im currently writing here:

Guide: Global Network DNS blacklisting (Pi-Hole)

To do this, I am hosting a small virtual server on Digital Ocean. I am using my own funds to give it a shot.

The Pi-Hole software is free and currently we are here with functionality.





I run some extra definition lists on the PI which caches and remembers its DNS requests, whenever the PI doesnt know something I take this a step further and the forward addresses point to OpenDNS family safe servers. Which according to openDNS block the following:

The goal of this is simple.

• Can I or another organization or entity use free products to provide a safer internet to users without charging them a ludicrous amount of money?
• How effective is it?
• Can it be done at a low or no cost?

To answer these questions I would like to invite feedback on the project if you decide to join. I am looking for the following.

• Response time ok
• false positives
• does this inhibit your browsing habits within reason?

Here are some examples of what this blocks.

• Telemetry
• malware domains
• ad domains
• pornographic and other none PG domains

DNS in itself isnt a perfect system, but I would REALLY like to understand how feasible a project like this could be. If you would like to join the DNS server IP in question is this.

45.55.35.57

(I currently only route IPV4)
​I DO NOT keep any private or identifying information.