DNS records traking

Taher11 · ‎09-04-2023

Hello,

I monitor my Windows active directory which is also my DNS server through the Fortisiem Windows agent, How can I detect the change made on the DNS side ( record deleting or changing)?

What types of Windows events ID should I look for when searching for those kinds of modifications made on the DNS server side?

FortiSIEM

EL MOUSTAPHA MOHAMED LEMINE TAHER

cdurkin_FTNT · ‎09-05-2023

Did you follow the recommendations from your original post?

https://community.fortinet.com/t5/FortiSIEM-Discussions/DNS-server-event-monitoring/td-p/266150

If you choose to monitor the DNS Audit event log: Microsoft-Windows-DNSServer/Audit

Admin -> Setup -> Windows Agent
Under Windows Agent Monitor Templates, choose your Template click Edit
Under Event -> Event Log .. New
Under Type -> Choose Other
Event Name: Log Name: Microsoft-Windows-DNSServer/Audit
Save / Apply

You will then see:

Event Type: Win-DNS-515-Record-Create

Raw Message Sample:
2023-09-05T13:17:33Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="515" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:17:32" [deviceTime]="Sep 05 2023 13:17:32" [msg]="A resource record of type 1, name test.homelab.local, TTL 3600 and RDATA 0x01010101 was created in scope Default of zone homelab.local. [virtualization instance: .]."

Event Type: Win-DNS-516-Record-Delete

Raw Message Sample:
2023-09-05T13:20:40Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="516" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:20:40" [deviceTime]="Sep 05 2023 13:20:40" [msg]="A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local."

You can see the full list of DNS Audit events here

View solution in original post

cdurkin_FTNT · ‎09-05-2023

Did you follow the recommendations from your original post?

https://community.fortinet.com/t5/FortiSIEM-Discussions/DNS-server-event-monitoring/td-p/266150

If you choose to monitor the DNS Audit event log: Microsoft-Windows-DNSServer/Audit

Admin -> Setup -> Windows Agent
Under Windows Agent Monitor Templates, choose your Template click Edit
Under Event -> Event Log .. New
Under Type -> Choose Other
Event Name: Log Name: Microsoft-Windows-DNSServer/Audit
Save / Apply

You will then see:

Event Type: Win-DNS-515-Record-Create

Raw Message Sample:
2023-09-05T13:17:33Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="515" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:17:32" [deviceTime]="Sep 05 2023 13:17:32" [msg]="A resource record of type 1, name test.homelab.local, TTL 3600 and RDATA 0x01010101 was created in scope Default of zone homelab.local. [virtualization instance: .]."

Event Type: Win-DNS-516-Record-Delete

Raw Message Sample:
2023-09-05T13:20:40Z Win2022DC.homelab.local 192.168.4.130 AccelOps-WUA-WinLog-Microsoft-Windows-DNSServer/Audit [phCustId]="1" [customer]="Super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="aac6d305-7f80-48a2-bc78-b63de85e896b" [timeZone]="-0500" [eventName]="Microsoft-Windows-DNSServer/Audit" [eventSource]="Microsoft-Windows-DNSServer" [eventId]="516" [eventType]="Information" [domain]="HOMELAB" [computer]="Win2022DC.homelab.local" [user]="Administrator" [userSID]="S-1-5-21-3781725565-1359118258-3033190851-500" [userSIDAcctType]="User" [eventTime]="Sep 05 2023 13:20:40" [deviceTime]="Sep 05 2023 13:20:40" [msg]="A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local."

You can see the full list of DNS Audit events here

Taher11 · ‎09-06-2023

Hello, I made the first suggestion and it works perfectly, I just have a question about the type of records in the msg we found " A resource record of type 1, name test.homelab.local and RDATA 0x01010101 was deleted from scope Default of zone homelab.local." what are the signification of those types 1 2 or 5 .?

EL MOUSTAPHA MOHAMED LEMINE TAHER

cdurkin_FTNT · ‎09-06-2023

I believe these are simply DNS Record Types .. you can see a list here..

https://en.wikipedia.org/wiki/List_of_DNS_record_types

ie: Type 1 is an A record etc ...