Resolve DNS visibility without impacting production

Complete DNS telemetry from Windows DNS servers - without compromise.

Stream over 300,000 DNS events per second directly from your servers - no packet capture, no debug logging, no disk I/O.

Download DnsStream
Example DnsStream event
{
  "timestamp": "2000-01-01T19:00:00Z",
  "host":      "windows2025",
  "schema":    1,
  "type":      "client-response",
  "data": {
    "client":  "192.168.68.164",
    "server":  "192.168.68.162",
    "port":    61776,
    "proto":   "udp",
    "size":    89,
    "txid":    1085,
    "flags":   {...},
    "qname":   "www.telemity.com.",
    "qdomain": "telemity.com.",
    "qclass":  "IN",
    "qtype":   "A",
    "rcode":   "NOERROR",
    "answers": [
      {
        "name":    "www.telemity.com.",
        "domain":  "telemity.com.",
        "ttl":     600,
        "rrclass": "IN",
        "rrtype":  "A",
        "data":    "20.47.114.0"
      }
    ],
    "authority":  [],
    "additional": []
  }
}

DNS is one of the highest-signal data sources in your environment.

Security operations

Detect malicious activity early.

DNS reveals early indicators of compromise, including command-and-control callbacks, malware staging, and data exfiltration. High-fidelity DNS telemetry helps security teams detect, investigate, and reconstruct attacker behaviour across systems.

Threat intelligence

Correlate with known indicators.

DNS activity can be correlated with threat intelligence feeds and suspicious infrastructure, providing context on how domains are used and helping distinguish benign traffic from real threats.

Observability & operations

Reveal system dependencies.

Observe how systems communicate in real time, identify service dependencies, troubleshoot resolution failures, and detect unexpected or misconfigured connections.

Compliance & audit

Identify external communication.

DNS telemetry provides a record of external communication, supporting auditing and investigation by showing which domains were accessed, when, and by which systems.

Extracting that signal reliably from Windows DNS servers is not straightforward.

Debug logging

Windows DNS debug logging writes synchronously to disk at high volume and produces unstructured text output. It was designed for troubleshooting, not continuous telemetry, and introduces significant I/O overhead on production servers.

Packet capture

Packet capture relies on kernel drivers or permanently elevated permissions, increasing attack surface on critical infrastructure. It also requires reconstructing and decoding traffic that the DNS server has already processed, adding complexity and potential visibility gaps.

Other ETW consumers

ETW is the correct telemetry source for Windows DNS. However, most ETW-based tooling captures only query metadata and does not parse the embedded DNS packet data, resulting in incomplete visibility while still adding overhead under load.

Existing approaches force teams to choose between visibility and operational risk.

DNS telemetry should come directly from the Windows DNS service itself.

DnsStream: The right way to capture DNS telemetry on Windows

DnsStream is a lightweight agent that runs directly on Windows DNS servers, capturing events at the source and forwarding structured telemetry to your existing security platform. It collects complete, reliable DNS data without impacting production.

It does one job - and does it completely

  • DnsStream does not analyze or interpret DNS data.
  • No detection logic. No analytics layer. No lock-in
  • Just complete, reliable telemetry - delivered where it belongs.

Built for real-world DNS environments

Complete DNS visibility

Every response includes the full answer, authority, and additional sections — with all resource records and TTLs intact.

Zero production impact

Passive ETW-based capture introduces no hooks into the DNS service, no latency, and no disruption.

No packet capture required

No kernel drivers. No promiscuous mode. No reassembly. Everything is captured after parsing, inside Windows.

Predictable resource usage

Fixed memory footprint. No disk I/O in the data path. CPU scales with query volume.

Windows DNS Server
DNS Server service
dns.exe · port 53
ETW provider: Microsoft-Windows-DNSServer
Windows ETW subsystem
Kernel-buffered ETW session
in-memory · no disk I/O · real-time delivery
Real-time consumer callback
DnsStream process
ETW consumer
event callback handler
Ring buffer queue
configurable · in-memory
Network forwarder
TLS/mTLS · multiple targets · automatic failover

DnsStream processes events through a simple, in-memory pipeline.

 

01 / RECEIVE

Receive events (ETW callback)

The ETW callback fires synchronously for each DNS event. DnsStream reads the structured event fields and hands off immediately to avoid blocking the ETW delivery thread.

02 / QUEUE

Queue (in-memory ring buffer)

Parsed events are placed into a configurable in-memory ring buffer. This decouples capture from forwarding and absorbs bursts in DNS query volume. Buffer size is set in the configuration file.

03 / PARSE

Parse and normalise records

DNS records are normalised into their familiar textual representation. Unknown types are preserved as hex-encoded RDATA so they remain intact for downstream processing.

04 / FORWARD

Serialise and forward

A dedicated forwarding thread drains events from the queue, serialises them into the configured output format, and transmits to the configured forwarding target over TCP or TLS.

Deploy in minutes. No dependencies.

  • Single ~1 MB signed binary
  • No installer, runtime, or reboot
  • Configured via a single plain text file
  • Runs as a Windows service and is fully scriptable

You can see exactly what the install script does - nothing hidden.

PowerShell
iwr https://telemity.com/downloads/dnsstream/1.0.0/dnsstream-1.0.0-windows-x64.zip -OutFile dnsstream-1.0.0-windows-x64.zip
Expand-Archive -Path dnsstream-1.0.0-windows-x64.zip -DestinationPath .
cd dnsstream-1.0.0-windows-x64
.\install.ps1
Write-Host "network-target ipv4 192.168.68.101 1514" >> "$Env:ProgramData\Telemity\DnsStream\dnsstream.conf"
Start-Service -Name "Telemity DnsStream"
Read the DnsStream technical overview

Passive by design. Built for production DNS infrastructure.

> 300,000

events per second forwarded

~25%

of the CPU consumed by dns.exe itself

~115MB

total process memory

Zero

disk I/O in data path

If DnsStream stops, the DNS service continues unaffected.

Performance example: Windows Server 2025 DNS (~10,000 qps)
Resource Characteristic Value Notes
CPU dns.exe usage ~4% Proportional ratio - scales with query volume
CPU DnsStream usage ~1% Proportional ratio - scales with query volume
Memory Process footprint ~115 MB Fixed; set by ring buffer size (default 100 MB queue)
Throughput DNS queries consumed 10,000 qps Sustained during testing
Throughput Telemetry events forwarded 20,000 eps Both the query and its response
Network DNS traffic 14 Mbps 7 Mbps inbound and outbound for DNS queries and responses
Network Telemetry forwarding 70 Mbps Event forwarding over TLS
Disk I/O Telemetry pipeline writes None Entire pipeline operates in memory
Disk I/O Windows Event Log writes Every 10m Application metrics; configurable interval

Start Free. Scale When You Need To.

Deploy DnsStream in production today and upgrade without changing deployment architecture or telemetry fidelity.

DnsStream Core

Fully functional and safe for production use.

Free to use. No licence required.

Full-fidelity DNS telemetry captured directly from the Windows DNS ETW provider. Core and Assured use the same telemetry pipeline with no event-rate limitations.

Download Core

DnsStream Assured

Extends the core telemetry engine with enterprise resilience, authenticated transport, and operational support.

Assured licensing from £950 per DNS server annually.

Designed for larger and operationally critical deployments. Scale to enterprise deployments without changing how DnsStream is deployed or operated.

Request Assured pricing
Core capabilities
Lightweight signed Windows Service
Passive ETW-based real-time telemetry capture
Full DNS message parsing including answer, authority, and additional sections.
Fixed-size in-memory queue
JSON over TCP forwarding
BIND querylog format over Syslog
Domain enrichment (DNS-aware parsing)
IPv4, IPv6 and FQDN forwarding targets
TLS encrypted transport
Schema stability guarantees
Processing and forwarding metrics
ZIP-based deployment with install.ps1 and uninstall.ps1
Assured capabilities
Load-balanced telemetry delivery across multiple forwarding targets
Automatic failover and recovery during collector or network outage
Mutual TLS (client certificate authentication)
Customer portal access
SLA-backed support

Deploy Core. Buy Assured.

DnsStream Core is fully functional and production-safe.

Organizations adopt Assured when DNS telemetry becomes operationally critical infrastructure and requires stronger guarantees around resilience, transport security, and support. The telemetry pipeline, capture engine, and deployment model remain identical between Core and Assured.

About Telemity

Built by engineers focused on telemetry done right

Telemity builds software that collects and forwards telemetry from mission-critical systems - quietly, reliably, and without impacting production.

We focus on the part most systems get wrong: the collection layer. If the data is incomplete, delayed, or unreliable, everything built on top of it is compromised.

We don't do detection. We don't do analytics. We don't bundle enforcement logic into a telemetry agent. We build the foundation those systems depend on - and we build it to the same standards as any other piece of production infrastructure.

"The right telemetry layer doesn't make your SIEM smarter. It makes everything your SIEM does more trustworthy."
About Telemity

Get complete DNS visibility without compromise.

Deploy DnsStream in minutes. See your DNS data immediately.

Download Core Get Assured