How does MDI monitor DNS Requests?

Brass Contributor



the Microsoft Learn documentation states that MDI monitors all DNS requests that are performed against the domain controller. I wonder how this is done. Via event logs or DNS log file or ... ?


Is there perhaps a blog article on how MDI works under the hood?






7 Replies

Can you help me out on this one @Martin_Schvartzman ?

best response confirmed by NinjaKitty (Brass Contributor)


The MDI sensor also listens to the network traffic, so it can see the DNS queries from the network packets by the protocol (and/or port).


That is interessting. What could be wrong if it doesnt or rather does only get a few of all DNS queries? (not standalone)

Microsoft Defender for Identity (MDI) monitors DNS requests and other activities on the domain controller to detect and investigate security threats. MDI collects data through several methods, including event logs, network traffic, and performance counters.
For DNS requests, MDI primarily relies on network traffic monitoring. It inspects the packets that are transmitted and received by the domain controller, looking for DNS requests and other relevant information. This allows MDI to detect and analyze anomalous DNS activities that could indicate potential security threats.
MDI Overview: or MDI architecture:
These resources give us great information about MDI components and how they work.
If MDI is not capturing all DNS queries or only capturing some of them, there could be several reasons:
1- Configuration issues: Ensure that the MDI sensor is properly installed and configured on the domain controller. Double-check the configuration settings, as incorrect settings may result in incomplete DNS query monitoring.
2- Network issues: MDI captures DNS queries by monitoring network traffic. Network issues or misconfigurations could prevent the MDI sensor from correctly inspecting DNS requests. Verify that the network infrastructure is correctly set up, and the MDI sensor has access to the required network traffic.
3- Firewall or security software: Firewalls or security software may inadvertently block or filter the DNS traffic that MDI needs to monitor. Check the firewall settings and security software configurations to ensure that they are not interfering with MDI's functionality.
4- Packet capture limitations: The MDI sensor may have limitations on the number or size of packets it can capture in a given time. If the domain controller is experiencing a high volume of DNS queries or network traffic, the sensor may not be able to capture and analyze all of them.
5- Filtering settings: MDI might be configured to filter out certain DNS requests based on specific criteria. Review the filtering settings in MDI to ensure that they are not too restrictive.

To resolve this, you can do the following:
1- Verify the MDI sensor's installation, configuration, and health status in the MDI portal.
2- Check the domain controller's event logs for any error messages or warnings related to MDI.
3- Inspect the network traffic on the domain controller to ensure that the DNS requests are
reaching the MDI sensor.
4- Review the MDI documentation and support resources for guidance on resolving known
Thank you for your reply. I will have my colleagues check these.
You're welcome @NinjaKitty