DNS Cache

Overview

Evidence: DNS Cache Description: Collect DNS Cache Category: Network Platform: Windows Short Name: dnsc Is Parsed: Yes - DNS cache entries parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows DNS resolver cache stores the results of recent DNS queries to speed up subsequent lookups. The cache contains hostname-to-IP mappings for recently accessed domains and can reveal web browsing activity, malware C2 domains, and network reconnaissance.

DNS cache entries are volatile and cleared when the DNS Client service restarts or entries expire.

Data Collected

Collection Method

This collector:

• Loads DNSAPI.dll

• Calls the undocumented DnsGetCacheDataTable function

• Enumerates all cached DNS entries

• Extracts hostname and record type

Usage

DNS cache reveals recent network activity and domain lookups. Investigators use this data to identify recently accessed domains, detect malware C2 domains, track web browsing activity, identify reconnaissance activity, correlate with network connections, and detect DNS tunneling or exfiltration.

Known Limitations

• Highly volatile (cleared frequently)

• Limited cache size

• Cache cleared on service restart

• Doesn't include DNS query history

• Undocumented API may change between Windows versions

Notes

DNS cache should be collected as early as possible in an investigation as it's highly volatile. Cross-reference cached domains with network connections and browser history for complete network activity reconstruction.