Windows DNS/Directory Services
Malicious or misused software can often attempt to resolve blacklisted or suspicious domain names. The collection of DNS queries and responses are recommended in order to enable discovery of compromise or intrusion through security analytics.A number of the below event IDs will only be recorded with enhanced auditing enabled. See [Network Forensics with Windows DNS Analytical Logging](http://blogs.technet.com/b/teamdhcp/archive/2015/11/24/network-forensics-with-windows-dns-analytical-logging.aspx) for more information.
Requires enhanced auditing enabled. Event Source - Microsoft-Windows-DNSServer - Event Log - Microsoft-Windows-DNSServer/Analytical
DNS query completed (Application DNS Lookup) Event Source - Microsoft-Windows-DNS-Client - Event Log - Microsoft-Windows-DNS-Client/Operational
DNS Query Response (DNS Cache service) Event Source - Microsoft-Windows-DNS-Client - Event Log - Microsoft-Windows-DNS-Client/Operational
September 14, 2021