DNS Servers

Overview

Evidence: DNS Servers Description: Collect DNS Server Addresses Category: System Platform: Windows Short Name: dnss Is Parsed: Yes - DNS server list extracted Sent to Investigation Hub: Yes Collect File(s): No

Background

DNS servers configured on the system are used to resolve domain names to IP addresses. The configured DNS servers can reveal normal network infrastructure or indicate DNS hijacking if unauthorized servers are present.

DNS server configuration is typically obtained via DHCP or configured statically.

Data Collected

DNS server information is included in the System collector output as a comma-separated list of IP addresses.

Field

Description

Example

DNSServers

Comma-separated DNS server IPs

8.8.8.8,8.8.4.4

Collection Method

This evidence is collected as part of the System collector using:

DnsQueryConfig with DnsConfigDnsServerList flag
Extracts IP addresses of all configured DNS servers
Returns comma-separated list

Usage

DNS server configuration can reveal network infrastructure or DNS hijacking. Investigators use this data to verify legitimate DNS servers, detect DNS hijacking, identify rogue DNS servers, correlate with DHCP configuration, and detect DNS redirection attacks.

Known Limitations

May not capture all adapters' DNS settings
Shows system-wide DNS, not per-adapter details
Doesn't show DNS search suffixes
May not reflect DHCP-provided DNS immediately

Notes

Unexpected DNS servers (especially public DNS like 8.8.8.8 in corporate environments, or unknown IPs) can indicate compromise or policy violations.

PreviousDNS Cache NextDefault Browser

Last updated 47 minutes ago

Was this helpful?