Avatar

This post explains how to inspect the contents of windows DNS cache. Inspection can be used to check DNS entries, revealing if any malicious websites are being visited.

A Domain Name Server’s (DNS) cache of DNS records can be inspected to determine if your network is interacting with suspicious or malicious internet sites. To perform this task, perform the following:

For Windows 2003 and prior versions, you must install Windows Support Tools. Once installed, inspect and export the DNS cache using the command prompt (cmd.exe) window.

For Windows 2008 and later, The Windows PowerShell is a more advanced version of Windows Support Tools and is installed by default. Use the PowerShell window or run the PowerShell Script from the command prompt window to inspect and export the DNS cache.

How to Inspect the Cache from the CMD Prompt

Windows 2003 and Prior Using dnscmd

  1. From the support tools directory (\Program Files (x86)\Support Tools), run the following command to display the DNS cache output in the CMD window.
  2. To redirect the DNS cache output to a file, use the following command:
    • C:\Program Files (x86)\Support Tools>dnscmd /zoneprint ..cache > c:\cache_output.txt

Example Ouput From “C:\Program Files (x86)\Support Tools>dnscmd /zoneprint ..cache”

; Zone: ..cache
; Server: DNS-SERVER.local
; Time: Wed Mar 19 11:07:57 2014 UTC
;
@ 0 NS m.root-servers.net.
0 NS l.root-servers.net.
0 NS k.root-servers.net.
0 NS j.root-servers.net.
0 NS i.root-servers.net.
0 NS h.root-servers.net.
0 NS g.root-servers.net.
0 NS f.root-servers.net.
0 NS e.root-servers.net.
0 NS d.root-servers.net.
0 NS c.root-servers.net.
0 NS b.root-servers.net.
0 NS a.root-servers.net.
in-addr.arpa 46401 NS c.in-addr-servers.arpa.
46401 NS e.in-addr-servers.arpa.
46401 NS f.in-addr-servers.arpa.

<–snip–>

example-01.example.com 18295 A 192.168.11.56
example-02.example.com 18295 A 192.168.17.247
example-03.example.com 18295 A 192.168.21.45
example-04.example.com 18295 A 192.168.22.237
example-05.example.com 18295 A 192.168.24.99
amazon-adsystem.com 14942 NS pdns3.ultradns.org.
14942 NS pdns4.ultradns.org.
14942 NS pdns1.ultradns.net.
14942 NS pdns2.ultradns.net.
14942 NS pdns5.ultradns.info.
14942 NS pdns6.ultradns.co.uk.
sample.com 91379 NS u1.sample.com.
91379 NS u2.sample.com.
91379 NS u4.sample.com.
91379 NS u6.sample.com.
91379 NS u3.sample.com.
91379 NS u5.sample.com.
91379 NS r1.sample.com.
91379 NS r2.sample.com.
91379 NS r3.sample.com.
91379 NS r4.sample.com.
r1.sample.com 4979 A 10.10.1.1
r2.sample.com 4979 A 10.10.2.3
r3.sample.com 4979 A 10.10.4.5
r4.sample.com 4979 A 10.10.6.7
u1.sample.com 4979 A 10.10.33.4
u2.sample.com 4979 A 10.10.33.5
u3.sample.com 4979 A 10.10..4.99
u4.sample.com 4979 A 10.10.10.2
u5.sample.com 4979 A 10.99.4.2

<–snip–>

;
; Finished zone: 754 nodes and 1017 records in 0 seconds
;

Windows 2008 and Later Using dnscmd

  1. From any directory, run the following command to display the DNS cache output in the CMD window.
  2. To redirect the DNS cache output to a file, use the following command:
    • C:\>dnscmd /zoneprint ..cache > C:\dns-cache-output.txt

Example Ouput From “C:\>dnscmd /zoneprint ..cache Follows

; Zone: ..cache
; Server: DNS-SERVER.local
; Time: Wed Mar 19 16:23:55 2014 UTC
;
@ 0 NS m.root-servers.net.
0 NS l.root-servers.net.
0 NS k.root-servers.net.
0 NS j.root-servers.net.
0 NS i.root-servers.net.
0 NS h.root-servers.net.
0 NS g.root-servers.net.
0 NS f.root-servers.net.
0 NS e.root-servers.net.
0 NS d.root-servers.net.
0 NS c.root-servers.net.
0 NS b.root-servers.net.
0 NS a.root-servers.net.in-addr.arpa
27442 NS c.in-addr-servers.arpa.
27442 NS e.in-addr-servers.arpa.
27442 NS f.in-addr-servers.arpa.
27442 NS b.in-addr-servers.arpa.
27442 NS d.in-addr-servers.arpa.
27442 NS a.in-addr-servers.arpa.
27446 NS r.arin.net.
27446 NS t.arin.net.
27446 NS u.arin.net.
27446 NS v.arin.net.
27446 NS w.arin.net.
27446 NS x.arin.net.
27446 NS y.arin.net.
27446 NS z.arin.net.
27443 DS 12885 5 1 DE4B7E3F7CC212A252B30AB1AF825EB32153E6F6
27446 RRSIG DS 8 3 86400 20140326170642 20140319042616 49960

<–snip–>

ns1.nic.uk 72532 A 172.16.5.4
ns2.nic.uk 72532 A 172.16.4.131
ns4.nic.uk 72532 A 10.99.4.2
nsa.nic.uk 72532 A 10.3.55.6

<–snip–>
;
; Finished zone: 1090 nodes and 1462 records in 0 seconds

 

Windows 2008 and Later using PowerShell

  1. From any directory, run the Show-DnsServerCache PowerShell command to display the DNS cache output in the CMD window.
    • C:\>Show-DnsServerCache
  2. To redirect the DNS cache output to a file, use the following command:
    • C:\>Show-DnsServerCache > C:\dns-cache-output.txt

Example Ouput From the PowerShell Window Follows

C:\Users\Administrator>Show-DnsServerCache
HostName RecordType Timestamp TimeToLive RecordData
-------- ---------- --------- ---------- ----------
@ NS 0 00:00:00 m.root-servers.net.
@ NS 0 00:00:00 l.root-servers.net.
@ NS 0 00:00:00 k.root-servers.net.
@ NS 0 00:00:00 j.root-servers.net.
@ NS 0 00:00:00 i.root-servers.net.
@ NS 0 00:00:00 h.root-servers.net.
@ NS 0 00:00:00 g.root-servers.net.
@ NS 0 00:00:00 f.root-servers.net.
@ NS 0 00:00:00 e.root-servers.net.
@ NS 0 00:00:00 d.root-servers.net.
@ NS 0 00:00:00 c.root-servers.net.
@ NS 0 00:00:00 b.root-servers.net.
@ NS 0 00:00:00 a.root-servers.net.
in-addr.arpa NS 0 07:47:00 c.in-addr-servers.arpa.
in-addr.arpa NS 0 07:47:00 e.in-addr-servers.arpa.
in-addr.arpa NS 0 07:47:00 f.in-addr-servers.arpa.
in-addr.arpa NS 0 07:47:00 b.in-addr-servers.arpa.
in-addr.arpa NS 0 07:47:00 d.in-addr-servers.arpa.
in-addr.arpa NS 0 07:47:00 a.in-addr-servers.arpa.
152.in-addr.arpa NS 0 07:47:04 r.arin.net.
152.in-addr.arpa NS 0 07:47:04 t.arin.net.
152.in-addr.arpa NS 0 07:47:04 u.arin.net.
152.in-addr.arpa NS 0 07:47:04 v.arin.net.
152.in-addr.arpa NS 0 07:47:04 w.arin.net.
152.in-addr.arpa NS 0 07:47:04 x.arin.net.
152.in-addr.arpa NS 0 07:47:04 y.arin.net.
152.in-addr.arpa NS 0 07:47:04 z.arin.net.
152.in-addr.arpa DS 0 07:47:01 [12885][Sha1][RsaSha1]
152.in-addr.arpa RRSIG 0 07:47:04 [DS][RsaSha256][49960]
48.152.in-addr.arpa NS 0 15:51:25 reggae.ncren.net.
48.152.in-addr.arpa NS 0 15:51:25 ncnoc.ncren.net.
a.in-addr-servers.arpa A 0 07:47:01 10.100.55.6
b.in-addr-servers.arpa A 0 07:47:01 192.168.1.183
c.in-addr-servers.arpa A 0 07:47:01 196.168.33.10
d.in-addr-servers.arpa A 0 07:47:01 10.10.4.53
e.in-addr-servers.arpa A 0 07:47:01 10.10.44.6
f.in-addr-servers.arpa A 0 07:47:01 192.168.8.33
ip6.arpa NS 0 07:46:50 a.ip6-servers.arpa.
ip6.arpa NS 0 07:46:50 b.ip6-servers.arpa.
ip6.arpa NS 0 07:46:50 d.ip6-servers.arpa.
a.ip6-servers.arpa A 0 07:46:50 192.168.8.36
b.ip6-servers.arpa A 0 07:46:50 192.168.8.44
c.ip6-servers.arpa A 0 07:46:50 192.168.8.55

Conclusion

The Windows Server DNS Cache provides a network administrator the ability to quickly view DNS entries on server and client host machines. This process can be used as a first step to inspect DNS activity on a network segment. Based on the type of operating system used, there are several options available to administrators.

Additional Information



Authors

Scott Bradley

Security Intelligence Engineer

Security Intelligence Operations