What is DNS Cache
The DNS cache maintains a database of recent DNS resolution in memory. This
allows for faster resolution of hosts that have been queried in the recent
past. To keep this cache fresh and reduce the chance of stale records the
time of items in the cache is of 1 day on Windows clients.
The DNS Client service in Windows is the one that manages the cache on a
system, This time Window can be modified via the registry in the registry
key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
where the MaxCacheTtl property controls the time in the cache in seconds
and the MaxNegativeCacheTtl property controls the time a failed response is
cached.
Why is it Important
For an attacker, it means primarily situational awareness. It allows him to
know what other systems this host has accessed and the IP address of the
host. This may allow identifying security platforms by the FQDNs used as
well as business process systems, both internal or in the cloud. On an
important note for the attacker is that if his implant/agent on the system
does not include its own resolution capability it has an IOC present on the
system that can be used to track its command and control infrastructure.
For a defender, the ability to know what hosts a system may have connected
to in the last 24 hours. This will permit a defender to query across his
environment for hosts that are communicating or have communicated with a
specific host if DNS resolution was part of the process and if the attacker
is not using its own resolution method. If the attacker is “Living off the
Land” and using OS tools it will still leave the femoral trace on the
system until the cached entry TTL (Time to Live) expires.
MSFT_DNSClientCache class
In Windows 8/2012 Microsoft added the MSFT_DNSClientCache class into the
CIM object database in Windows. The class is under the new namespace that
was also added to Root\StandardCimv2 and the resources are provided as part
of the DnsClientCim.dll. This allows us to query for instances of the class
and get all entries for the DNS Cache database.
Advertise on IT Security News.
Read the complete article: Getting DNS Client Cached Entries with CIM/WMI