Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Event 22 DNS Query issue - not generating event from browsers #177

Open
patzak88 opened this issue Jan 28, 2023 · 11 comments
Open

Event 22 DNS Query issue - not generating event from browsers #177

patzak88 opened this issue Jan 28, 2023 · 11 comments

Comments

@patzak88
Copy link

patzak88 commented Jan 28, 2023
edited

Hello,

I have a problem with Event 22 DNS query. It doesn`t generate the events with the domains I am accessing. Tried from edge, chrome, I dont get Event 22 for them in Event Viewer (Sysmon/Operational).
I have this problem on every machine I have tested : 2 windows 10 machines and one windows server 2019 (all of them VMs. Also on my main windows 11 machine. (not VM) is not working.

If I try a command from powershell like : IEX(New-Object Net.WebClient).DownloadString("www.apple.com") it works, I can see Event 22 in Event Viewer, but from browser processes it wont work.
I sometimes see some events with domains from browser process but they were not accessed by me specifically.

I tried everything (I think) :

  • updating the configuration with -c command
  • uninstall and reinstall sysmon
  • other sysmon configurations
  • reboot
  • searched all over the internet but nothing found about this kind of issue.

Did anyone encounter this issue? What else can I do in order to work ? Every help/suggestion is appreciated.

Thank you
@taherkaraki
Copy link

taherkaraki commented Jan 28, 2023
edited

Your browser has a proxy most likely, so the proxy resolved the dns instead

@patzak88
Copy link
Author

Hello @taherkaraki ,

Thank you for your feedback. Its not this. I don`t have any proxy set. I forgot to mention that all of the machines which I have tested on are newly installed (fresh Windows).

Must be something else but I didn`t yet figure it out what it is.

@taherkaraki
Copy link

Run wireshark and see if you have any dns traffic

@patzak88
Copy link
Author

@taherkaraki - I tested it with wireshark. ran capture, accessed websites, including below apple.com, and it shows the DNS traffic:

image

but on the sysmon operational event viewer logs - no sign of them

@taherkaraki
Copy link

Are you sure your sysmon config does not exclude the browser?

@patzak88
Copy link
Author

Are you sure your sysmon config does not exclude the browser?

@taherkaraki i'm using the swifton config. I changed nothing in it.

@taherkaraki
Copy link

Comment From config:

	<!--OPERATIONS:	Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off.
					Search for Group Policy for these browsers to configure this.-->

@patzak88
Copy link
Author

@taherkaraki - disabled the DNS lookup setting in edge (Use secure DNS to specify how to lookup the network address for websites) and still no sign in Sysmon operational of the DNS records from websites I`m accessing.

@patzak88
Copy link
Author

patzak88 commented Feb 4, 2023

later update: it turns out that from firefox I receive every DNS query in Event Viewer. the problem seems to be in edge and chrome. did checked the proxy settings, DNS lookup - nothing which can solve this

@pulpon6
Copy link

pulpon6 commented Jul 27, 2023

Same issue, Is there a solution?

@LIHAQ
Copy link

LIHAQ commented May 31, 2024

同样的问题

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@taherkaraki @patzak88 @LIHAQ @pulpon6