DHCP, DNS, Logging, Windows, Windows Servers

Sometime for forensic investigation you might need to enable extended logging on DNS server and for tracing back the client who originated the DNS request enable debug logging in DHCP server as well. DNS log analysis is to detect suspicious or malicious Domain Name requests from internal machines by doing behavior, syntax, heuristics, and statistical analysis on the given logs in addition to matching of known public and private blacklists

Below diagrams shows how to enable DNS logging and DHCP logging

From your DNS Servers properties, ensure that DNS logging options are as in the below screenshot.

Logging must be enabled on all internal DNS servers in the organization.

Maximum file size should be set as big as possible to include DNS queries logging for 3 days at least, the more data collected, the better the results.

Default location for dns logs is%SystemRoot%\System32\DNS\Dns.log.



DHCP Logging:


In order to trace the IP addresses from the DNS logs to a machine name, DHCP server logging must be enabled. If you have other means of identifying your machines by IP address and historical timestamp, DHCP logging is not required.


Below is how to enable DHCP logging.


DHCP audit logs are located by default at %windir%\System32\Dhcp.

Below article explains DHCP log monitoring





Enable Advance logging for DNS server and DHCP


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s