Tip of the Day: Using DNS Analytical Logging
Today’s Tip…
Just when you thought DNS could not get any better there are several new features and improvement included in Windows Server 2016 TP4 to get excited about. One notable improvement that will be very useful to troubleshooters and support engineers is the addition of new diagnostic and logging capabilities consisting of both Analytical Events and ETW trace providers.
The good news is that these features have also been backported to Windows Server 2012 R2 DNS! If you have a 2012 R2 DNS server you can download and install the following package to enable this capability.
Update adds query logging and change auditing to Windows DNS servers
Note Concerning DNS Debug Logging
Prior to the introduction of DNS analytic logs, DNS debug logging was an available method to monitor DNS transactions. That DNS debug logging is not the same as the enhanced DNS logging and diagnostics feature discussed here.
Analytical Event Logging
Enhanced DNS logging and diagnostics in Windows Server 2012 R2 and later includes DNS Audit events and DNS Analytic events. DNS audit logs are enabled by default, and do not significantly affect DNS server performance. DNS analytical logs are not enabled by default, and typically will only affect DNS server performance at very high DNS query rates. For example, a DNS server running on modern hardware that is receiving 100,000 queries per second (QPS) can experience a performance degradation of 5% when analytic logs are enabled. There is no apparent performance impact for query rates of 50,000 QPS and lower. However, it is always advisable to monitor DNS server performance whenever additional logging is enabled.
Click on the link for a detailed list of DNS Analytic events as well as the steps necessary to enable DNS diagnostic logging once the package is installed.
ETW Logging
DNS logs are compatible with Event Tracing for Windows (ETW) consumer applications such as logman, tracelog, and message analyzer. You can use ETW consumers such as tracelog.exe with DNS server audit and analytic events by specifying a GUID of {EB79061A-A566-4698-9119-3ED2807060E7}.
Note - You can get tracelog.exe by downloading and installing the Windows Driver Kit (WDK). Tracelog.exe is included when you install the WDK, Visual Studio, and the Windows SDK for desktop apps. For information about downloading the kits, see Windows Hardware Downloads. For example, when you download and install Windows Driver Kit (WDK) 8 and accept the default installation path, tracelog.exe is available at C:\Program Files (x86)\Windows Kits\8.0\Tools\x64\tracelog.exe. For more information about using tracelog.exe, see Tracelog Command Syntax.
The following command will enable both analytical and audit logging:
tracelog.exe -start Dns -guid #{EB79061A-A566-4698-9119-3ED2807060E7} -level 5 -matchanykw 0xFFFFFFFF -f C:\analytic_audit.etl
While the trace is active, all analytical and audit events will be recorded in the C:\analytic_audit.etl file that was specified on the command line. You can stop tracing by issuing a stop command:
tracelog –stop Dns
After stopping the trace, you can view the .etl file in Event Viewer by clicking Action and then clicking Open Saved Log. AS shown in the following example.
The following example enables just the analytical channel and matches only the keywords to 0x7FFFF:
tracelog.exe -start Dns -guid #{EB79061A-A566-4698-9119-3ED2807060E7} -level 5 -matchanykw 0x7FFFF -f C:\analytic.etl
Using this syntax, a logging level of 5 is used. The following logging levels are available:
Call to Action
At your first opportunity familiarize yourself with the process of gathering and analyzing DNS ETW logging. It is very economical in terms of resource consumption compared to traditional DNS debug logging and can be very useful in troubleshooting and forensic efforts.
Your feedback is very important is well. If you encounter a scenario where information not currently captured by the trace would be helpful, let us me know! The DNS PG is very active in the area of diagnostics and if your idea would help reduce the time it takes to resolve an issue they would be very interested in hearing it!
Review the following article for more information on DNS Analytical Logging and other diagnostics.