Do your automated tests sometimes fail with seemingly random connectivity issues? Would you like to figure out what the heck is going on when an app can't contact its associated website? Read on!
In today's post, I'm going to a refer to a solution used to look at DNS activity. DNS is the Domain Name System, and is involved in one of the earliest steps in making an HTTP request, namely looking up the IP address of the domain in a URL so you can get in touch with the correct server. In future posts we'll look at other parts of the network stack.
Windows has a lot of instrumentation in place. I've talked about Event Tracing for Windows before, but today I want to talk about the event log instead. Knowing both mechanisms is handy for cases where ETW might not have been running, for example, but the data that you're interested in got saved to disk in an event log.
Windows Event Log is a management-focused event system, designed for system administrators and IT professionals to easily consume events.
The event log system was rather limited "back in the day", but today there is a ton of information available in these logs. These days it's built on top of ETW, so in principle you can get to the data through that.
Event logs add to ETW by providing a system-wide, durable store for events, as well as providing tools to manage policy around these logs and to examine, search and archive these logs.
The most common tool used to inspect the event logs is the Event Viewer. These classic Windows Logs (Application, Security, Setup, System) are there, as well as a large number of Applications and Services logs.
wevtutil is the command-line tool you can use to work with event manifests, and query and export information from event logs.
The first command you'll want to run when playing with this tool is wevtutil el. This enumerates log names so you know what you can target next.
If you want to see the whole list clearly, I suggest piping that to a file - there are many, many event logs on your system.
Now, for this exercise, we want to keep the DNS events around. We use the set-log or sl command for that. Remember to run this in an Administrator console, otherwise you won't have permissions to edit the log configuration to enable it.
wevtutil sl Microsoft-Windows-DNS-Client/Operational /enabled:true
Now I'll open my browser and navigate to www.lopezruiz.net/, and then export the log and stop logging.
wevtutil export-log Microsoft-Windows-DNS-Client/Operational %temp%\dns.evt
wevtutil sl Microsoft-Windows-DNS-Client/Operational /enabled:false
The easiest way to look at this interactively is to use the Event Viewer tool in Windows. When you start it, look for a line thar reads "Open Saved Log..." on the right-hand pane, under the Action heading.
Once you have the log open, you can look for what you're interested in using the Properties or Find action links. For example, I can click on "Find...", type lopezruiz.net and press Enter, and it will tak eme to the event.
There I see the ETW-level details (source, event ID, task, opcode, etc.) as well as a string description ("Received response from DNS Server 2001:558:feed::2 for name www.lopezruiz.net and type 28 with response status 9003") and I can also click on the Details tab at the bottom to see the structured values in the event data: QueryName (wwww.lopezruiz.net), QueryType (28), DnsServerIpAddress (2001:558:feed::2) and ResponseStatus (9003).
Again, instead of using ETW, this time we'll be using the event log. Once you have your exported event log file, what can you do?
PowerShell to the rescue once again, with the Get-WinEvent cmdlet. To simply write out all commands, run Get-WinEvent -Path $env:temp/dns.evtx. That gives you a nice view like this one.
ProviderName: Microsoft-Windows-DNS-Client
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
3/14/2020 11:18:55 PM 3008 Information DNS query is completed for the name stories.monday.com...
To get a filtered view, you can use the -FilterXPath switch. The XML representation is describes in Event Representation for Event Consumers, and you've already seen this in the context of ETW. So, for example, you could get a handful of entries with something like this.
Get-WinEvent -Path ./dns.evtx -MaxEvents 3 -FilterXPath "*/System/EventID=3008"
If you want to see all the possible event identifiers and description for a provider, run this command.
(Get-WinEvent -ListProvider Microsoft-Windows-DNS-Client).Events | Format-Table Id, Description
If you were having a DNS issue, hopefully this will help you gather information. Or, you might just be horrified at the amount of DNS traffic that regularly goes on when you thought it was just a simple page refresh. But hey, knowledge is power.
Happy name resolving!