Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
dns_cache
dns_cache
Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.
| Column | Type | Description |
|---|---|---|
| flags | integer | DNS record flags |
| name | text | DNS record name |
| type | text | DNS record type |
Example
An integral part of incident response is understanding all systems that may have been compromised. To help with this, a query like the following will return positive for a system that has resolved a domain that contains baddomain. It's important to note that a system will only cache the DNS mapping for a limited time - see Notes below for further information.
SELECT name, type FROM dns_cache WHERE name LIKE '%baddomain%';Notes
This table pulls from the local system's DNS cache. By default, the local DNS cache entry for a domain will be removed once the TTL for the domain has expired. For instance, osquery.io has a TTL of 60 seconds. When this domain has been resolved on a local Windows system, the DNS mapping will expire in 60 seconds from the resolution time - so SELECT * FROM dns_cache WHERE name = 'osquery.io' will only return results during that 60 second window.
Windows has a maximum time that it allows a cache entry to exist- by default, it is 1 day. If the domain has a TTL of greater than 1 day, Windows will still remove the DNS entry from its cache after 1 day.
Questions?
SOC2 Type 2
