top of page
Search

DNS in Forensics: The Hidden Goldmine for Threat Hunting

  • Aug 19
  • 3 min read
ree

When we think about forensic investigations and threat hunting, DNS isn’t usually the first thing that pops into our minds. But if you dig a little deeper, you'll realize that DNS is often one of the most powerful sources of evidence in any investigation.


In fact, DNS logs are like a pulse check on your entire network. They silently record who's talking to who, when, and how — across nearly every protocol in use.



Why DNS Matters So Much

Attackers don’t walk through the front door shouting. They sneak around the back — and often, that backdoor is DNS. It’s used in everything from phishing and command-and-control (C2) infrastructure to data exfiltration.


But here’s the thing: most networks don’t treat DNS seriously enough. They treat it as just another service, not a security tool.

Imagine this:

An attacker sets up a C2 domain and points it to 127.0.0.1 (localhost) most of the time to avoid suspicion. Then, when it’s time to activate implants, they change the DNS record to the actual IP. If you’re only logging queries and not responses, you miss that switch entirely.



Good DNS Setup = Better Security

If you're serious about DNS from a security perspective, there are a few best practices:

  • Use internal DNS servers: Set up a small number of DNS servers inside your network perimeter.

  • 🔒 Lock down external DNS access: Clients should only be allowed to query internal DNS servers — not open resolvers on the internet.

  • 🌐 Use DHCP for DNS assignment: Keep it simple and consistent.

  • 🚫 Block direct DNS access from clients to the internet: Use your firewall to enforce this.


This configuration not only improves performance and reliability but also gives you a centralized choke point for visibility.



The Problem with Traditional DNS Logging

Most DNS servers allow query logging, which is a good start — but here’s the catch:

They don’t log the responses.

That’s a big blind spot. It’s like watching only one side of a conversation. For investigators, this means missing out on crucial clues — like what IP a domain resolved to at a specific moment.

And forget about using that data to spot malicious infrastructure that constantly changes — you'll be flying blind.



Enter PassiveDNS Monitoring

If you really want visibility, go passive.

Passive DNS monitoring tools listen to DNS traffic and log both queries and responses. One fantastic open-source option is Edward Fjellskål’s tool called PassiveDNS.


It’s lightweight, fast, and versatile. You can:

  • Run it live to monitor traffic as it happens (great for SIEM integration),

  • Or process DNS traffic from pcap files during postmortem analysis.


It can write logs directly or send them via syslog — which means it plays nicely with most log aggregators and SIEM platforms.




🧪 Practical Example: PassiveDNS in Action

Let’s say you have a massive pcap file and you want to quickly zero in on DNS activity. PassiveDNS can do the job in no time: (https://github.com/gamelinux/passivedns)


Installing PassiveDNS on Ubuntu, especially when running under Windows Subsystem for Linux (WSL), can be a bit challenging. You might encounter several errors along the way due to the differences between a native Linux environment and WSL. However, you don’t have to worry you can reach out to me directly though email or using chat section, I will help immediately.


Below is the official installation process for PassiveDNS on Ubuntu, as per the project documentation:

  $ sudo apt-get install git-core binutils-dev libldns1 libldns-dev libpcap-dev 
# libdate-simple-perl is also needed for pdns2db.pl
$ git clone git://github.com/gamelinux/passivedns.git
$ cd passivedns/
$ autoreconf --install
 $ ./configure
$ make

Once installation is done you have a pcap file and  you want to quickly zero in on DNS activity. 

sudo passivedns -r dns.pcapng -l ./passivedns.txt -L ./passivedns_nxdomain.txt
ree

This gives you two clean log files:

  • One with all successful DNS resolutions

  • One for those NXDOMAIN (nonexistent domain) queries — often a sign of malware trying to resolve C2 domains that don’t exist (yet)

ree

Output :
ree

And if you're live monitoring from a network tap:

passivedns -i eth0 -D -y -Y

This runs the tool as a background process, sending real-time logs (including failed lookups) straight to your syslog server.

ree


Final Thoughts

If you’re skipping DNS logs in your investigations, you’re likely missing a massive part of the story. DNS isn’t just a boring infrastructure protocol — it’s a map of where your network traffic is going, and often a warning sign of where threats are coming from.

So, whether you're hunting threats or digging through a breach, don’t underestimate DNS. It’s not just technical plumbing — it’s a forensic goldmine.


--------------------------------------------Dean------------------------------------------------------

 
 
 

Comments

bottom of page