Contact Us
Enabling DNS Monitoring in Datadog
Blog Team
February 15, 2025
Uncategorized

Welcome to my first Blog post on Practical Security! In this series we discuss tools, topics and tactics for improving the operational security of your business' technical environments. In this blog post, we walk through how to enable Windows DNS monitoring in the popular monitoring tool datadog!

Step 1 - Windows DNS Log Tuning

To kick things off, let’s cleanup the type of logs that would be sent to datadog. The Script below modifies several properties of your DNS config, so that datadog only receives meaningful logs that you can do something with.

Open a Powershell window as Admin, and paste and execute the following script.

Set-DnsServerDiagnostics `
    -SendPackets $false `
    -ReceivePackets $true `
    -EnableLoggingForLocalLookupEvent $false `
    -EnableLoggingForRecursiveLookupEvent $false `
    -EnableLoggingForRemoteServerEvent $false `
    -EnableLoggingToFile $true `
    -LogFilePath "C:\Temp\DNS.log" `
    -Queries $true `
    -Answers $true `
    -UnmatchedResponse $false `
    -FullPackets $false `
    -TcpPackets $false `
    -UdpPackets $true

Restart DNS Service

Restart the DNS service to apply changes:

Restart-Service DNS -Force

Final Verification Before Moving to datadog Setup

You can run the following command to see if the log is being written to

Patience is a Virtue.
This could take a few minutes to populate after you run it.

Get-Content "C:\Temp\DNS.log" -Tail 20

Step 2 - Configure datadog

Enable Logging in datadog Agent

Now that we’ve modified our DNS log config, we’re ready to have datadog collect the information into the UI!

Go to your C:\ProgramData\datadog directory, and open datadog.yaml in a text editor with administrator rights.

Make sure you have the following line configured somewhere in your datadog.yaml file

logs_enabled: "true"

Save your changes and move onto the next step.

Bonus Step - Enable Network Telemetry

If you haven’t done so already, its a good idea to enable Network telemetry in the datadog Agent. You can do so by:

Opening the system_probe.yaml file in the C:\ProgramData\datadog Directory

Add the following lines

network_config:
  enabled: true

Save your changes and move onto the next step.

Configure DNS yaml File

Go to your C:\ProgramData\datadog\conf.d\win32_event_log.d directory, and create a new file called dns_cfg.yaml

Review Twice, Save once...
If you do not have “Enable extensions” view, make very sure your file extension shows YAML like in the screenshot below, or your config file might not show up in the agent collector!

In the dns_config.yaml file, paste the following config and then save:

logs:
  - type: file
    path: "C:\\Temp\\DNS.log"
    source: dns
    service: dns_server
    tags: "hostname:YOUR_SERVER_NAME_HERE"
    log_processing_rules:
      - type: exclude_at_match
        name: exclude_common_noise
        pattern: "(ARCOUNT|Offset|Flags|DATA|QTYPE|NSCOUNT|Buf length|empty|CLASS|SECTION)"
Don't make the mistake I made 🙁
Make sure you change the tags line to the name of your server so you can filter your results later.

In your powershell window, paste the following command and hit return:

Restart-Service datadogagent

If everything was saved and the restart successful, your logs should now be ingested into your datadog UI. Congratulations! You can confirm this by open your local datadog Agent Manager and checking the counters under the w32 log entry:

Step 3 - Modify datadog Log entries

Great, you have logs being shipped into datadog’s UI, but there’s a problem: The log files only record the IP Addresses of the DNS entries, and not much else. Not overly helpful for most Sysadmin’s who don’t want to spend their time trying to manage DNS entries in their heads. Thankfully, there’s a few steps we can do in the datadog UI to make the logs both useful and easy to search.

Enable datadog Pipelines

Go to your datadog Pipielines section in the UI by hovering your mouse over Logs ->Pipelines

Click “Create new Pipeline which should be at the end of your existing pipelines:

Under “Create Pipeline”, use the following entries:

  • Filter: source:dns
  • Name: Windows DNS Logs

Now click Create. You should now have a new pipeline entry.

Only a few more steps to go!

Add Grok Parser

Expand your pipeline with the > next to it, and select “Add Processor”

Select “Grok Parser” and use the following information:

Grok Parser: NAMEHERE

Under Log Samples, either Add a copy of your DNS logs, or you can try to have datadog find them automatically by selecting “Parse my logs”

Under Define parsing rules, paste the following line:

rule %{date("M/D/YYYY H:mm:ss a"):date}\s+%{data}(NOERROR]|NXDOMAIN])\s+%{data}\(%{number}\)%{data:url.url_1}(\(%{number}\)%{data:url.url_2})?(\(%{number}\)%{data:url.url_3})?(\(%{number}\)%{data:url.url_4})?(\(%{number}\)%{data:url.url_5})?(\(%{number}\)%{data:url.url_6})?(\(%{number}\)%{data:url.url_7})?(\(%{number}\)%{data:url.url_8})?

Click Create to complete the Grok parser.

Create String Builder

Click “Create new Pipeline which should be at the end of your existing pipelines:

Select String Builder Processor

  • Name: Build Full Domain Name
  • Attribute Path: full_url
  • Set Target attribute: use following line:
%{url.url_1}.%{url.url_2}.%{url.url_3}.%{url.url_4}.%{url.url_5}.%{url.url_6}.%{url.url_7}.%{url.url_8}.

2nd Grok Parser - Trim URL

Create another Grok parser after your String builder with the following settings:

Log Samples

cdn.jsdelivr.net.cdn.cloudflare.net

Grok Parser: Trim URL

trim_full_url %{data:full_url}(\.)?(\.)?(\.)?(\.)?(\.)?(\.)?(\.)?

With everything done, your pipeline should now look like this:

Validate DNS Changes

go back to your log explorer and filter by source:dns

Your log files should now look like this:

Ok, I made you go through all that, and for what?!? Well, now we can setup monitors using wildcards in the search URL String, so there’s that… slightly smiling face

Set Up Notification & Remediation Steps

Create a New Logs Monitor, and give it the following settings:


  • Name the Monitor: Suspicious DNS Query - .RU Domains
  • Set Notification Recipients:
    • Email: security@example.com (replace with your SOC/Security team email).
    • Slack: Send alerts to a security channel (#security-alerts).
  • Add an Auto-Remediation Message:
    • In the Alert Message field, add:
Suspicious DNS Query Detected!
A request for a `.ru` domain has been logged.

Host: {{host.name}}
Query: {{log.message}}

Please investigate potential malware or unauthorized access.

Next Step: Test the Alert

To ensure it works:

Manually test a .ru domain lookup:

nslookup test.ru <your_dns_server_ip>

Confirm that datadog logs the query:

source:dns AND "QUERY:" AND ".ru"

Wait for the alert to trigger in datadog.

That's it! You can now create monitors for any sort of Domain Suffix you wish to monitor from your Windows DNS Servers!

Facebook
Twitter