DNS Cache
Overview
Section titled “Overview”Evidence: DNS Cache
Description: Collect DNS Cache
Category: Network
Platform: windows
Short Name: dnsc
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The Windows DNS resolver cache stores the results of recent DNS queries to speed up subsequent lookups. The cache contains hostname-to-IP mappings for recently accessed domains and can reveal web browsing activity, malware C2 domains, and network reconnaissance.
DNS cache entries are volatile and cleared when the DNS Client service restarts or entries expire.
Data Collected
Section titled “Data Collected”This collector gathers structured data about dns cache.
DNS Cache Data
Section titled “DNS Cache Data”| Field | Description | Example |
|---|---|---|
Name | DNS name | www.example.com |
Type | DNS record type | 1 (A record) |
Collection Method
Section titled “Collection Method”This collector:
- Loads DNSAPI.dll
- Calls the undocumented
DnsGetCacheDataTablefunction - Enumerates all cached DNS entries
- Extracts hostname and record type
Forensic Value
Section titled “Forensic Value”DNS cache reveals recent network activity and domain lookups. Investigators use this data to identify recently accessed domains, detect malware C2 domains, track web browsing activity, identify reconnaissance activity, correlate with network connections, and detect DNS tunneling or exfiltration.