Sometime for forensic investigation you might need to enable extended logging on DNS server and for tracing back the client who originated the DNS request enable debug logging in DHCP server as well. DNS log analysis is to detect suspicious or malicious Domain Name requests from internal machines by doing behavior, syntax, heuristics, and statistical analysis on the given logs in addition to matching of known public and private blacklists
Below diagrams shows how to enable DNS logging and DHCP logging
From your DNS Servers properties, ensure that DNS logging options are as in the below screenshot.
Logging must be enabled on all internal DNS servers in the organization.
Maximum file size should be set as big as possible to include DNS queries logging for 3 days at least, the more data collected, the better the results.
Default location for dns logs is%SystemRoot%\System32\DNS\Dns.log.
In order to trace the IP addresses from the DNS logs to a machine name, DHCP server logging must be enabled. If you have other means of identifying your machines by IP address and historical timestamp, DHCP logging is not required.
Below is how to enable DHCP logging.
DHCP audit logs are located by default at %windir%\System32\Dhcp.
Below article explains DHCP log monitoring