Event 22 DNS Query issue - not generating event from browsers

[patzak88]

Hello,

I have a problem with Event 22 DNS query. It doesn`t generate the events with the domains I am accessing. Tried from edge, chrome, I dont get Event 22 for them in Event Viewer (Sysmon/Operational). I have this problem on every machine I have tested : 2 windows 10 machines and one windows server 2019 (all of them VMs. Also on my main windows 11 machine. (not VM) is not working.

If I try a command from powershell like : IEX(New-Object Net.WebClient).DownloadString("www.apple.com") it works, I can see Event 22 in Event Viewer, but from browser processes it wont work. I sometimes see some events with domains from browser process but they were not accessed by me specifically.

I tried everything (I think) :

• updating the configuration with -c command
• uninstall and reinstall sysmon
• other sysmon configurations
• reboot
• searched all over the internet but nothing found about this kind of issue.

Did anyone encounter this issue? What else can I do in order to work ? Every help/suggestion is appreciated.

Thank you

[taherkaraki]

Your browser has a proxy most likely, so the proxy resolved the dns instead

[patzak88]

Hello @taherkaraki ,

Thank you for your feedback. Its not this. I don`t have any proxy set. I forgot to mention that all of the machines which I have tested on are newly installed (fresh Windows).

Must be something else but I didn`t yet figure it out what it is.

[taherkaraki]

Run wireshark and see if you have any dns traffic

[patzak88]

@taherkaraki - I tested it with wireshark. ran capture, accessed websites, including below apple.com, and it shows the DNS traffic:

but on the sysmon operational event viewer logs - no sign of them

[taherkaraki]

Are you sure your sysmon config does not exclude the browser?

[patzak88]

Are you sure your sysmon config does not exclude the browser?

@taherkaraki i'm using the swifton config. I changed nothing in it.

[taherkaraki]

Comment From config:

    <!--OPERATIONS: Chrome and Firefox prefetch DNS lookups, or use alternate DNS lookup methods Sysmon won't capture. You need to turn these off.
                    Search for Group Policy for these browsers to configure this.-->

[patzak88]

@taherkaraki - disabled the DNS lookup setting in edge (Use secure DNS to specify how to lookup the network address for websites) and still no sign in Sysmon operational of the DNS records from websites I`m accessing.

[patzak88]

later update: it turns out that from firefox I receive every DNS query in Event Viewer. the problem seems to be in edge and chrome. did checked the proxy settings, DNS lookup - nothing which can solve this

[pulpon6]

Same issue, Is there a solution?

[LIHAQ]

同样的问题

[OlexTratisky]

hello, i am having same issue here. Chrome and Edge seem not to work? even with the policies disabled. Any workaround? anyone got it working ? thanks