We have Universal Forwarder installed on MS Windows 2012 DNS server.
what is best way to collect all the DNS queries by client and the Responses sent back by the DNS server.
You can also install and configure sysmon.
https://technet.microsoft.com/en-us/sysinternals/sysmon
http://blogs.splunk.com/2014/11/24/monitoring-network-traffic-with-sysmon-and-splunk/
The event code that would interest you is EventCode=3
You're also able to see which application is making the DNS query and any command line entries initiating the communication.
I'm using it on my home lab and have worked contracts in the past where customers were leveraging sysmon logs with Splunk. If you choose to use this option, make sure you filter events properly, both in the sysmon.xml config and in your inputs.conf (for Windows events) and/or prop.conf/transforms.conf for sending noisy events to a nullqueue. Ensure you test it first. Sysmon can generate an absurd amount of logs if not configured correctly.
I would leverage Splunk Stream to capture the DNS Traffic: https://splunkbase.splunk.com/app/1809/
Can be installed on a Network Tap or on the 2012 DNS Server directly with the UF.
Otherwise, you can use the builtin analytic logging for DNS and have the UF tail the file.
FYI, I've been unable to ingest the the analytic logs using the traditional WinEventLog input method. Apparently this is a known (designed in) limitation on Microsoft's part that applies to all Analytic and Debugging logs.
When you attempt to ingest these logs, Splunk returns error MS Error code 15009. According to MSDN, "You cannot subscribe to an Analytic or Debug channel; the events for an Analytic or Debug channel go directly to a log file and cannot be subscribed to."
The Splunk Stream option sounds interesting. Does anyone know how complicated it would be to take that feed an make it CIM compliant with the goal of Enterprise Security integration.