Gerald DiBernardo
asked on
Windows DNS Response Rate Limiting log question
Quick question, where does Windows store the DDoS attempts when RRL is enabled or in logonly mode? Would it log in the DNS Server event log? If so what event ID would I be looking for? Or is there a log file and of so what is the path? Thanks!
ASKER
Thanks for the information. We are using Server 2016 for public DNS. I hadn't seen anything in the DNS Server event viewer that I could determine was related, so thought maybe it was logged elsewhere. Thanks for the info.
ASKER
Do you by chance know what the event ID is?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In the event log. You have to go past the normal event logs to the Applications and Services log, then expand the DNS-Server folder and view the log there. It'll have events that show when the RRL throttles DNS requests.
That said, you're not really likely to experience a DDoS attempt inside your network, so unless you're using your Windows Server for public DNS, rate limiting isn't very likely to trigger unless you set caps very low. Now, an internal DoS attack (non DDoS, since those tend to focus on public server attacks with millions of systems hitting at the same time) might be an issue, but internal DoS is fairly uncommon these days since it typically alerts people to a problem and hackers need time to get admin creds. They want to stay as quiet as possible as long as possible.