Logging and Reviewing DNS Client queries in Windows using PowerShell

Leave a reply

By default, Windows does not log DNS queries, but the log can be enabled.

The DNS client log can be found in Event Viewer under:
Applications and Services Logs
Microsoft
Windows
DNS Client Events
Operational
In event viewer, right-click the log and select “Enable Log” to begin logging.

To enable the log using Powershell, with a maximum size of 16MB:

$log = Get-WinEvent -ListLog 'Microsoft-Windows-DNS-Client/Operational'
$log.IsEnabled = $True
$log.MaximumSizeInBytes = 16777216 
$log.SaveChanges()

To search the log for successful queries in Powershell:

Get-WinEvent Microsoft-Windows-DNS-Client/Operational | ?{$_.Id -like "3008"} | Out-GridView

To search for a specific domain, such as google.com:

Get-WinEvent Microsoft-Windows-DNS-Client/Operational | ?{$_.Id -like "3008" -and $_.Message -like "*google.com*"} | Out-GridView

Leave a Reply

Your email address will not be published. Required fields are marked *