DNS Servers
Overview
Section titled “Overview”Evidence: DNS Servers
Description: Collect DNS Server addresses
Category: Network
Platform: windows
Short Name: dnss
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”DNS servers configured on the system are used to resolve domain names to IP addresses. The configured DNS servers can reveal normal network infrastructure or indicate DNS hijacking if unauthorized servers are present.
DNS server configuration is typically obtained via DHCP or configured statically.
Data Collected
Section titled “Data Collected”This collector gathers structured data about dns servers.
DNS Servers Data
Section titled “DNS Servers Data”| Field | Description | Example |
|---|---|---|
DNSServers | Comma-separated DNS server IPs | 8.8.8.8,8.8.4.4 |
Collection Method
Section titled “Collection Method”This evidence is collected as part of the System collector using:
DnsQueryConfigwithDnsConfigDnsServerListflag- Extracts IP addresses of all configured DNS servers
- Returns comma-separated list
Forensic Value
Section titled “Forensic Value”DNS server configuration can reveal network infrastructure or DNS hijacking. Investigators use this data to verify legitimate DNS servers, detect DNS hijacking, identify rogue DNS servers, correlate with DHCP configuration, and detect DNS redirection attacks.