Sysmon update introduces DNS Query Logging - gHacks Tech News

Sysmon update introduces DNS Query Logging

A new version of the Sysmon tool will be released on Tuesday 11, 2019 that introduces DNS query logging to the Windows system monitor.

Mark Russinovich, the creator of the tool and Microsoft Azure CTO, teased the new feature in a message on Twitter on June 8, 2019.

The system monitor Sysmon extends the functionality of the Windows Event log by monitoring the system for certain events and writing them to the event log.

Tip: check out our review of Sysmon 5 to get a better understanding of the free application.

Sysmon: dns query logging

sysmon dns query logging

The next Sysmon release introduces support for DNS query logging. Russinovich published a screenshot on Twitter that showcases the new feature. The screenshot shows logged DNS queries and information about one of the logged queries.

Particularly interesting is the linking of the query to a specific executable on the system and that DNS query responses are logged as well. The value of "Image" reveals the program the query initiated from.

The Windows Event Log supports the logging of DNS queries but it needs to be enabled first before Windows starts logging these events, and does not highlight the executable file that initiated the query.

Here is how you enable DNS logging on Windows:

  1. Use Windows-R to open the run box on the system.
  2. Type eventvwr.msc and tap on the Enter-key to load the Event Viewer.
  3. Navigate the following path: Applications and Service Logs > Microsoft > Windows > DNS Client Events > Operational
  4. Right-click on Operational, and select Enable Log.

Closing words

The new Sysmon feature improves DNS query logging on Windows. Especially the logging of executable filenames and paths should be welcome as it makes it easier to identify the programs a DNS query originated from.

Regularly going through the DNS query log could highlight programs that leak information potentially or are dangerous. The feature may also be useful when it comes to the logging of software installations or updates to verify what is happening in the background.

The new version of Sysmon will be published on Microsoft's Sysinternals website.

Now You: do you analyze DNS queries? (via Bleeping Computer)

Summary
Sysmon update introduces DNS Query Logging
Article Name
Sysmon update introduces DNS Query Logging
Description
A new version of the Sysmon tool will be released on Tuesday 11, 2019 that introduces DNS query logging to the Windows system monitor.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Bill said on June 10, 2019 at 11:38 am
    Reply

    Martin, Please change Mike to Mark.

  2. chesscanoe said on June 11, 2019 at 1:01 am
    Reply

    I hope the newest version continues to use “Event timestamps are in UTC standard time.”

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Be polite: we do not allow comments that threaten or harass, or are personal attacks. Please leave politics and religion out of discussions!