DNS Resolver Configuration & Cache State

Location

Common Names

Description

Resolver configuration files and runtime cache state used by glibc resolv.conf consumers or by systemd-resolved. These artifacts capture the nameservers, search domains, DNS-over-TLS settings, stub-resolver state, and per-link resolver assignments active on the host.

Forensic Value

Resolver state is essential for determining how a compromised Linux host translated names during the incident. It can expose attacker-added DNS servers, split-DNS VPN settings, sinkholes, or transient per-link resolvers used only while connected to a malicious network. Runtime cache inspection can also show recently resolved domains and confirm whether suspicious infrastructure was reachable via the configured resolver path.

Tools Required

Collection Commands

cat /etc/resolv.conf /etc/systemd/resolved.conf > /forensics/output/resolver_config.txt 2>/dev/null

resolvectl status > /forensics/output/resolvectl_status.txt

find /run/systemd/resolve -type f -exec cp --parents {} /forensics/output/ \; 2>/dev/null

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.
• •Resolver caches are often memory-backed and may be lost on reboot. Systems that bypass systemd-resolved may expose only static resolver configuration without recent query context.

MITRE ATT&CK Techniques

References