Can someone please point me to additional information around Windows DNS monitoring referenced in the Platform Updates section around endpoint agent 4.33.25 (new stable)? I am not seeing anything in the docs ( I am sure I am missing it somehow).
Thank you!
Here is some additional detail on the feature:
The DNS monitoring uses Windows’ undocumented DnsGetCacheDataTable() function from dnsapi.dll to directly access the system’s DNS cache. This approach is more reliable than hooking network calls.
Technical Implementation:
• A background thread (dnsDiffThread) periodically polls the DNS cache (adaptive 5-15 second intervals based on system load)
• Compares snapshots to identify new DNS requests (differential analysis)
• Publishes DNS_REQUEST events containing:
- Domain name queried
- DNS record type (A, AAAA, MX, etc.)
- DNS flags
- Timestamp
1 Like
@cmd1775 Another advantage is that whenever a process issues a DNS request, it will more often than not go through the Windows DNS Client service (DNSCache). This means the emanating process ID (PID) will appear as the DNSCache service rather than the actual program that initiated the request.
The update in the latest stable 4.33.25 will be able to get the actual source of the DNS request instead of the DNSCache service.
2 Likes
Thank you for the information.
Thank you very much!