Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
Need a KQL query to ensure DNS forwarders are responding to DNS requests and they are correctly responding to DNS queries
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 44%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Pardeep
100
Reputation points
How can we check the DNS forwarders are correctly responding to DNS requests by using KQL queries with the log-analytics workspace.
Azure Monitor
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
{count} votes
-
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator2023-08-28T10:48:02.77+00:00 Hello @Pardeep ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how to check if the DNS forwarders are correctly responding to DNS requests by using KQL queries with the log-analytics workspace.
Azure DNS currently does not support Diagnostic logging via Log Analytics workspace. As of today, Azure DNS only provides metrics for you to monitor specific aspects of your DNS zones.
Refer: https://learn.microsoft.com/en-us/azure/dns/dns-alerts-metrics
However, detailed DNS query logging is in the roadmap of Azure DNS and will be available in future (last I heard the private preview may be available by H1CY24, but this ETA is not fixed and is subject to change depending on various factors).
This feature is already under review for global release. You can upvote the feature in the below feedback forum:
https://feedback.azure.com/d365community/idea/5ab45f92-f125-ec11-b6e6-000d3a4f06a4
For the time being, you can use the basic troubleshooting steps to validate any DNS resolution issues.
Refer: https://learn.microsoft.com/en-us/azure/dns/dns-troubleshoot#i-cant-resolve-my-dns-record
https://learn.microsoft.com/en-us/windows-server/networking/dns/troubleshoot/troubleshoot-dns-client
https://learn.microsoft.com/en-us/windows-server/networking/dns/troubleshoot/troubleshoot-dns-server
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
-
Pardeep 100 Reputation points
2023-08-28T15:39:12.6633333+00:00 Hi @GitaraniSharma-MSFT Thanks for Quick answer, as per your comment "As of today, Azure DNS only provides metrics for you to monitor specific aspects of your DNS zones." can you help me how can I monitor the below scenarios.
1.The monitor should send the query directly to the DNS forwarder VM's IP address instead of routing it through the load balancer.
a. Run a query through the load balancer. We need to also monitor the load balancer is functioning.
2.The monitor should validate both an externally resolvable DNS name (e.g. [www.google.com]) and also an internal name (this name has to be one guaranteed to be resolvable and not one that might be removed).
3.The actual IP address returned isn't important as long as an IP address is returned and the request doesn't return an error or time out.
-
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator
2023-08-29T09:04:10.8766667+00:00 Hello @Pardeep ,
Yes, as of today, Azure DNS only provides metrics for you to monitor specific aspects of your DNS zones. And it includes very limited metrics. The details are available in the below doc:
https://learn.microsoft.com/en-us/azure/dns/dns-alerts-metrics
But maybe your question is a bit different, and I didn't understand it the first time. So, let me clarify it.
Are you talking about Azure Public DNS zone requests/queries, or you are talking about DNS server requests/queries?
When I say DNS server, I mean a DNS server deployed on Azure VM. I'm asking because in your follow-up question you've mentioned "the monitor should send the query directly to the DNS forwarder VM's IP address".
If your question is related to DNS server logs, then you may refer the below docs:
https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/windows-dns-events-via-ama
https://learn.microsoft.com/en-us/azure/sentinel/connect-dns-ama
Regards,
Gita
-
-
Pardeep 100 Reputation points
2023-08-29T15:42:36.83+00:00 Hi @GitaraniSharma-MSFT , sorry for the confusion. I'm talking about DNS server requests/queries.
- How can we check whether the DNS forwarders are responding to DNS requests.
- In our Azure infrastructure we use custom DNS servers in Virtual networks, then this DNS server is the Azure load balancer frontend IP Address -> then this load balancer has two backend pools of DNS Forwarders(VM's).
-
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator
2023-08-30T10:00:17.4966667+00:00 Thank you for the update, @Pardeep .
Since your question is not related to Azure DNS zones but is related to DNS log collection from custom DNS servers in Virtual networks, I'm re-tagging the question with Azure Monitor and Microsoft Sentinel tags, so that the respective SMEs can assist you further.
AFAIK, to get DNS logs from your DNS servers, you need to use Azure Monitoring agent (AMA).
Refer: https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/windows-dns-events-via-ama
https://learn.microsoft.com/en-us/azure/sentinel/connect-dns-ama
Regards,
Gita
-
Clive Watson 7,951 Reputation points MVP Volunteer Moderator2023-08-30T11:15:17.1633333+00:00 Do you have DnsEvents or the MMA/AMA on those Virtual Machines - if so you can use the Heartbeat table and or something based on this?
DnsEvents | summarize count(), arg_max(TimeGenerated,*) by Computer | extend lastCall = datetime_diff('minute',now(),TimeGenerated) -
Pardeep 100 Reputation points
2023-08-31T15:42:40.5+00:00 Hi @Clive Watson ,
Can we monitor DNS forwarders using any Powershell script.
Is there any feature available in the azure monitor to check the DNS queries hosted on Azure VM?
-
Clive Watson 7,951 Reputation points MVP Volunteer Moderator
2023-09-01T10:01:12.0233333+00:00 You can setup a Log Alert https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-types#log-alerts or do much the same in Sentinel looking at the DNSEvents table, which has this type of info
-
Pardeep 100 Reputation points
2023-09-05T16:32:12.61+00:00 - From the above DNSEvents table, I could not see the DNS request where DNS Forwarder responding correctly.
- Can you please help me with the appropriate table where I can see that DNS Forwarder responding correctly to DNS requests.
-
Pardeep 100 Reputation points
2023-09-15T16:25:12.2166667+00:00 Hi @Clive Watson @Clive Watson - MSFT
PFB error it states that DNSEvents table does not exist please provide the appropriate table for DNSEvents.
-
Sign in to comment
Sign in to answer