DNS Cache

DNS records can provide crucial insights into network communications, identify malicious activities and uncover connections between compromised systems and C2 servers.

Cache records can be found in the

Configuration files

DNS-related configuration files may contain valuable information.

/etc/resolv.conf: Specifies the DNS servers used by the system.

/etc/hosts: Contains local hostname-to-IP mappings.

DNS caching in RHEL

RHEL does not cache DNS queries by default¹. RHEL also does not recommend using any resolvers². This implies that DNS caching artifacts may not be available for analysis.

DNS resolver

Resolver configuration is stored in the /etc/resolv.conf file. This file should be reviewed as part of the investigation to check for any malicious entries.

cat /etc/resolv.conf

https://access.redhat.com/solutions/2189381

https://access.redhat.com/solutions/6985629

Digital forensics & Intrusion Response Playbook - *nix OS

DNS Cache

Configuration files

DNS caching in RHEL

DNS resolver