DNS Cache

Overview

Evidence: DNS Cache Description: Collect DNS Cache Category: Network Platform: windows Short Name: dnsc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows DNS resolver cache stores the results of recent DNS queries to speed up subsequent lookups. The cache contains hostname-to-IP mappings for recently accessed domains and can reveal web browsing activity, malware C2 domains, and network reconnaissance.

DNS cache entries are volatile and cleared when the DNS Client service restarts or entries expire.

Data Collected

This collector gathers structured data about dns cache.

DNS Cache Data

Field

Description

Example

Name

DNS name

www.example.com

Type

DNS record type

1 (A record)

Collection Method

This collector:

Loads DNSAPI.dll
Calls the undocumented DnsGetCacheDataTable function
Enumerates all cached DNS entries
Extracts hostname and record type

Forensic Value

DNS cache reveals recent network activity and domain lookups. Investigators use this data to identify recently accessed domains, detect malware C2 domains, track web browsing activity, identify reconnaissance activity, correlate with network connections, and detect DNS tunneling or exfiltration.

PreviousDiscord Desktop Cache NextDNS Server Logs

Last updated 3 days ago

Was this helpful?