DNS Query Logs

networkDNS AnalysisNetwork CaptureSIEM / Log Aggregator

Location

DNS server logs (BIND named.log, Windows DNS debug/analytical log, Pi-hole, Infoblox)

Description

DNS resolution logs recording the querying client IP, requested domain name, query type (A, AAAA, MX, TXT, CNAME), response code, and resolved IP addresses.

Forensic Value

DNS logs expose C2 communication that evades traditional network monitoring. DNS tunneling manifests as high volumes of TXT or NULL queries to a single domain with encoded subdomains. DGA (Domain Generation Algorithm) malware produces bursts of NXDOMAIN responses for random-looking domains. Queries for known-malicious domains with timestamps identify which internal hosts are compromised and when the infection began. DNS is rarely blocked entirely, making it a preferred covert channel.

Tools Required

SIEM (Splunk, Elastic)Passive DNS databasesdnsdbqgrepRITA

Related Blockers

No EDR Agent on Compromised Hosts

The affected endpoints do not have an EDR agent installed or the agent was disabled prior to the incident. Without endpoint telemetry you lose process trees, command-line logging, and real-time containment capability.

BitLocker/Encrypted Drives Preventing Forensic Imaging

Full-disk encryption (BitLocker, FileVault, LUKS) prevents mounting or imaging the drive without the recovery key. Without decryption you cannot access the filesystem for artifact collection.

Compromised Systems Powered Off or Disconnected

Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.

Shared Cloud Environment Complicates Isolation

The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.

Systems Already Rebooted -- Volatile Data Lost

The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.

Backups May Be Compromised -- Cannot Trust for Recovery

Backup integrity is uncertain. The attacker may have been present in the environment long enough to have compromised backup copies, planted persistence mechanisms in backup images, or encrypted/deleted backup repositories.