Go back
Cybersecurity Project

DNS Cache Hunter

Monitoring DNS cache & flagging malicious IPs

A lightweight Python tool that parses the local DNS cache (A/AAAA records), normalises entries, and enriches them with threat intelligence. The result is a concise DNS Threat Report that separates malicious, suspicious, and safe entries for fast SOC triage.

Why it matters: DNS is a rich telemetry source. Turning raw cache data into intel-backed findings helps identify beaconing, shady CDNs, and ad/malware infrastructure without deploying heavy agents.

Capabilities
  • Parses ipconfig /displaydns output into structured indicators (FQDN ↔ IP).
  • Enriches IPs against public intel sources; aggregates labels per indicator.
  • Generates a readable report with totals and per-indicator rationale.
  • Handles duplicate/empty entries and noisy cache output gracefully.
Flow: DNS cache → parser → intel → report
Flow: DNS cache → parser → intel enrichment → threat-categorised report.
Overview

Purpose

Quickly triage DNS artifacts with intel-backed context

The goal was to practice end-to-end detection and enrichment: read the DNS cache, extract indicators, query reputation services, and produce an auditor-friendly report suitable for tickets or investigation notes.

Tools & Technologies

  • Python 3.x (subprocess, parsing, CLI formatting)
  • Windows DNS cache via ipconfig /displaydns
  • Threat intel lookups (e.g., multi-engine reputation services)
Process

How it works

Collection → Parsing → Enrichment → Report
  1. Collect DNS cache. Execute ipconfig /displaydns and capture stdout.
  2. Parse A/AAAA. Split cache blocks, extract FQDNs and IPs, normalise to a clean list.
  3. Enrich with intel. Query reputation sources; aggregate engine labels (malicious/suspicious/clean).
  4. Score & report. Summarise totals and list flagged indicators with their intel notes.
Intel logic & thresholds
  • Malicious — any high-confidence “malware/criminal” label from a trusted engine.
  • Suspicious — low-confidence or mixed results across engines.
  • Safe — no negative signals after enrichment.
Edge cases & error handling
  • Deduplicates repeated FQDN↔IP pairs from the cache output.
  • Tolerates empty/partial sections; skips non-A/AAAA blocks.
  • Graceful messaging if cache access or intel lookups fail.

Example Output

DNS Threat Report screenshot

Reflection

  • Takeaway: Clear parsing + simple, explainable thresholds make DNS artifacts actionable for analysts.
  • Challenges: cache output variability; mapping engine labels to consistent categories.
  • Future improvements: Linux/macOS resolvers, JSON/CSV export, parallelised lookups with backoff, and domain reputation checks.
Go back

Copyright ©2025. All rights reserved