Missing DNS requests on Windows machine

Hey,

I'm investigating outbound DNS connections from an Active Directory Domain Controller. It contacted the DNS server tm1.edgedns-tm.info which is apparently owned by Microsoft. Nothing overly suspicious, but I wanted to check which process did this request, ignoring the system-wide DNS setting.

So I go to check logs from my Elastic Endpoint Integration (7.15 Agent, integration v1.1.1), but there are no traces of a DNS request to that IP.

Maybe it is expected that some system-level DNS request may not be covered by the Endpoint Integration? E.g. requests sent by MS Defender which may be out of reach for the Elastic solution.

I'm fairly certain I searched for the correct parameters. My firewall logs state clearly that it was a connection to 13.107.222.240 (tm1.edgedns-tm.info) on port 53/udp, so nothing fancy. I even searched the entire "logs-*" pattern for destination.ip: 13.107.222.240 with sufficiently large time frame - nothing came back. I do see DNS requests from the host in question, recorded by the endpoint integration. Just not to 13.107.222.240.

I can provide Endpoint logs, but I can already state that %ProgramFiles\Elastic\Agent\data\elastic-agent-x\logs\elastic-agent-json.log contains only "information" level logs. Agent status is "healthy" in Fleet.

You may need to check if you have the correct integration assigned to your endpoint agent policy.
Under endpoint agent, integrations you should have "Windows" integration added to the policy.

Thanks for the ideas. I doubt that this is the issue though.
For one, the DNS logs should be coming from the Endpoint Security Integration, not the Windows Integration:

Then, I already do see DNS requests - except requests to this specific IP.

Lastly, the windows integration is also present in my agent config.

Hm. I think I've found some of the DNS requests. They can be found with event.dataset: endpoint.events.network and network.protocol: dns.
The events seem to stem from a sysmon-style log that Elastic Endpoint internally uses. They even have a plain text message attached.

These events do not have a destination IP attached. Instead of destination.port, They use the field network.destination.port: 53, which is not an official ECS field . I think I'll raise an issue on Github about it...

image

I've managed to talk to the great @jamesspi on Slack about this, and for future reference:

Currently, the endpoint integration does not log raw UDP 53 traffic. It seems to be an exception because for DNS, there are more higher quality logs available directly from the OS. However, these logs unfortunately don't contain the contacted DNS server IP. So the data I was searching for is not there as it stands right now (7.15).

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.