To enable DNS diagnostic logging
Full Answer
By default, where are the DNS debug logs written to? The %SYSTEMROOT%\System32\Dns folder After a DNS zone has been secured with DNSSEC, what additional data will be returned to a client as a result of a query?
DNS Debug logging. Why would you use DNS' debug logging? The answer is to track down problems with DNS queries, updates or notification errors. In my case we were in a process of transitioning windows 2003 domain controllers to windows 2008 R2 domain controllers.
Select and enable debug logging options on the DNS server. To view a DNS server debug log file. To Read the DNS Debug Logs. Remove the first 30 lines or so (up to the first DNS query) & save the file. Remove blank lines and then save.
When the rollover occurs dns.exe creates a backup of the debug log file under C:\Windows\System32\dns\backup\dns.log and then recreates the debug log file by deleting and opening it for read/write.
Prior to the introduction of DNS analytic logs, DNS debug logging was an available method to monitor DNS transactions. DNS debug logging is not the same as the enhanced DNS logging and diagnostics feature discussed in this topic. Debug logging is discussed here because it is also a tool that is available for DNS logging and diagnostics. See Using server debugging logging options for more information about DNS debug logging. The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.
Right-click DNS-Server, point to View, and then click Show Analytic and Debug Logs. The Analytical log will be displayed.
You can use ETW consumers such as tracelog.exe with DNS server audit and analytic events by specifying a GUID of {EB79061A-A566-4698-9119-3ED2807060E7}.
DNS server audit events enable change tracking on the DNS server. An audit event is logged each time server, zone, or resource record settings are changed. This includes operational events such as dynamic updates, zone transfers, and DNSSEC zone signing and unsigning. The following table summarizes DNS server audit events.
If the DNS server is running Windows Server 2012 R2, download the hotfix from https://support.microsoft.com/kb/2956577.
Very high-level events are recorded in the event log. These might include one message for each major task performed by the service. Use this setting to begin an investigation when the location of the problem is in doubt, for example a scavenger thread was started.
Enhanced DNS logging and diagnostics is available by default in Windows Server® 2016 Technical Preview. This feature is also available in Windows Server® 2012 R2 when you install the query logging and change auditing hotfix, available from https://support.microsoft.com/kb/2956577.
Why would you use DNS' debug logging? The answer is to track down problems with DNS queries, updates or notification errors. In my case we were in a process of transitioning windows 2003 domain controllers to windows 2008 R2 domain controllers.
Remove the first 30 lines or so (up to the first DNS query) & save the file.
The DNS debug log provides extremely detailed data about all DNS information that is sent and received by the DNS server, similar to the data that can be gathered using packet capture tools such as network monitor. Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.
After you’ve used DNS debug logging on a removable media, removed the media and then restarted the Windows Server installation acting as DNS Server , the DNS Service no longer starts.
When you suspect problems with the Domain Naming System (DNS) Service, the records it keeps and scavenges, or the errors it encounters, but doesn’t let you know about in the event logs, you can enable DNS de bug logging.
When you’ve used removable media to store the logged information, you can safely remove it.
Debug logging can affect overall server performance and also consumes disk space, therefore it is recommended to enable debug logging only temporarily when detailed DNS transaction information is needed.
In the Log file path and name box, specify the name of the text file you want to log all events to. By default, the size of the DNS log is limited to 500MB. After it is reached, old DNS lookup events will be overwritten with the new ones.
A DNS lookup query returned the client IP address of the requested host.
Note that on highly loaded Windows DNS hosts, DNS query logging can cause extra load on the CPU, RAM, and storage (the disk performance must be quite enough).
You can export the file to Excel and use it to analyze DNS queries (the file contains host IP addresses and DNS names they requested from your DNS server).
In this example, we used text files to collect DNS logs. In Windows Server 2012 and newer you can log DNS queries directly to the Event Viewer ( Microsoft-Windows-DNS-Server/Audit ). But in my opinion, text DNS logs are much easier to analyze.
The Windows DNS debug log contains information on DNS queries and activity that can be important to monitor and analyze to detect malicious traffic. This requires some configuration changes for the DNS service in order to enable debug logging. Here is a short description on how to enable debug logging for the DNS service on windows, this also applies to Windows 2008 and later. It is possible to specify the file and path name of the DNS debug log file as well as the maximum size of the file.
When the debug log file path is configured to use a different drive than C: (systemroot), the file needs to be copied byte-by-byte to the backup folder.
When the rollover occurs dns.exe creates a backup of the debug log file under C:WindowsSystem32dnsbackupdns.log and then recreates the debug log file by deleting and opening it for read/write. Unfortunately NXLog is still reading data from the file and holds an open handle thus the delete operation does not complete until NXLog is done reading the file and closes it. The DNS service tries to create the new file but receives a DELETE PENDING error and this causes the debug log file to disappear.
Here you can see that dns.exe invokes the SetRenameInformationFile operation. The reason for this is that the backup folder resides on the same drive, thus the file is simply renamed (moved) and while nxlog.exe can finish reading from the renamed file, dns.exe will be able to recreate the debug log file.
The default behavior of NXLog's im_file module is to keep the monitored file open. The CloseWhenIdle configuration option can be used to instruct it to close the log file after it's done reading the file. Unfortunately this does not solve the disappearing DNS log file issue.
The DNS debug log only disappears if it is monitored, so the conclusion would be to blame the log monitoring tool. The im_file module in NXLog does not delete files and it does not lock log files. Files are opened with READ access only. NXLog and most other log collectors work fine collecting log files being written by most other software.
Unfortunately the only solution at this point looked like to fix the DNS service. The DNS service should tolerate the DELETE PENDING error and wait until this completes. Better yet, it should create a different file as some other services are capable of doing this.
Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups ( https://go.microsoft.com/fwlink/?LinkId=83477 ).
Open an elevated Windows PowerShell prompt on the DNS server where you wish to enable event logging.
Open an elevated Windows PowerShell prompt on the DNS server where you wish to enable event logging.