logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Response: How does the Linux sensor perform DNS name resolution?

CB Response: How does the Linux sensor perform DNS name resolution?

Environment

  • CB Response Sensor: All Linux versions
  • CB Response Server: All versions

Question

How does the Linux sensor perform DNS name resolution?

Answer

  1. The kernel captures DNS response packets for active processes, and transfers them to the sensor daemon. 
  2. The daemon then parses the response, and updates its local sensor cache (not to be confused with the OS DNS cache). 
  3. The daemon then performs a reverse lookup in its own cache for each netconn. 

Additional Notes

If multiple hostnames are seen associated with a single address, that indicates that some process has performed a lookup for each host and they resolved to that address. 

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
363
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.