Open in app

Sign in

Write

Sign in

How to Get a Log of DNS Queries with Sysmon

Sysmon

soji256
4 min readJun 16, 2019
Sysmon — Windows Sysinternals | Microsoft Docs

Sysmon now supports logging DNS queries, so I tried to get the logs. I checked this procedure with Windows 10 on VMware.

Sysmon Installation Instructions

  • Download Sysmon from the official site.
  • Extract the files to a folder of your choice.
  • Launch a command prompt with administrator privileges.
  • Change to the directory where you extracted Sysmon and type Sysmon -i.
    (When you start it for the first time, you will be asked to check the terms of use.)
Sysmon install — cmd.exe

Installation is complete.

Event Log Location

Sysmon logs are all located in the Applications and Services Log > Microsoft > Windows > Sysmon Operational.

Sysmon Event Log

Enable DNS query logging

By default, DNS queries are not logged. I will change the setting to enable logging of DNS queries.

Using Notepad, create a file with the following contents and save it with the filename config-dnsquery.xml.

<Sysmon schemaversion="4.21">
 <EventFiltering>
  <DnsQuery onmatch="exclude" />
 </EventFiltering>
</Sysmon>

Take this file to the same folder where you extracted Sysmon and type Sysmon.exe -c config-dnsquery.xml to apply the settings.

Update configuration

This starts logging DNS queries.

DNS query log Location

Sysmon logs are all located in the Applications and Services Log > Microsoft > Windows > Sysmon Operational. A log of DNS queries has an event ID of 22.

Sysmon EventLog DNS Query

DNS query log is noisy

You can find the Sysmon configuration files at the following site:

There is a test version that contains settings for the DNS query log.

This test version has been configured to exclude some common domains from the DNS log. In general, the DNS query log is expected to be large. If you want to stand on the shoulders of giants, you might want to apply this configuration file.

Can I get a log for DNS over HTTPS (DoH)?

I haven’t tried it yet, but there was a blog saying that Sysmon can’t get it.

Sysmon 10.0 — New features and changes — Olaf Hartong — Medium

Depending on your configuration you might be able to see the activity in EventID 3 (NetworkConnection), but you will not see the request itself. The only thing you might be able to see is unexpected processes calling out to one of the DoH providers.

Thanks.

References

Appendix

Uninstall Sysmon

You can uninstall by entering Sysmon.exe -u at a command prompt executed with administrator privileges.

If you have trouble installing the software after uninstalling it, follow the steps below to delete the related files.

  1. Run regedit.exe and delete the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sysmondrv registry key
  2. Delete the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sysmon registry key
  3. Restart the machine then delete the c:\windows\sysmondrv.sys and c:\windows\sysmon.exe files.

Sysmon Might Not Work in a Virtual Environment

When we tried Sysmon on VMware, it sometimes didn’t work in a Windows 7 environment.

  • Windows 7: Sysmon won’t boot and says it’s an unsupported processor
  • Windows 7: Sysmon Launches, But Unable To Log DNS Queries & Attempts To Uninstall, BSoD Occurs
  • Windows 10: As if by magic; Sysmon just logged DNS queries without any trouble
Erro: Unsupported Processor — Windows 7

The first and second bullet points of Windows 7 are different environments. I haven’t been able to identify the reason for this yet.

Update History

  • 2019/06/17 New.
  • 2019/06/17 Fixed some mistakes.
  • 2020/03/03 Revised.
Microsoft
Cybersecurity
Sysmon
DNS
Sysinternals

--

--

soji256
soji256

Written by soji256

113 Followers
22 Following

Loves cats and CTFs. …ᓚᘏᗢ… [twitter:@soji256] ,CISSP

Responses (2)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams