Network

DNS Configuration

Overview

macOS DNS configuration reveals the name resolution settings for the system, including configured DNS servers, search domains, and any manual overrides in the hosts file. Modifications to DNS configuration can indicate C2 communication setup (redirecting domains to attacker-controlled IPs), privacy tool usage (encrypted DNS providers), or corporate network configuration.

Forensic Significance

Evidence TypeForensic Value
DNS serversConfigured resolver addresses (ISP, corporate, public, malicious)
Search domainsNetwork domain affiliations
Hosts file entriesManual DNS overrides (C2 indicators, ad blocking, redirects)
DNS-over-HTTPS/TLSEncrypted DNS configuration
Resolver orderDNS resolution priority

File Locations

ArtifactPathFormat
Resolver config/etc/resolv.confText
Hosts file/etc/hostsText
DNS configurationscutil --dns (command)API output
Per-interface DNS/Library/Preferences/SystemConfiguration/preferences.plistPlist

Key Data

Hosts File

The /etc/hosts file contains manual DNS overrides that take priority over DNS resolution:

127.0.0.1    localhost
::1          localhost
# Suspicious entries might include:
192.168.1.50    corporate-portal.example.com
10.0.0.1        update.microsoft.com

Resolver Configuration

# Full DNS configuration
scutil --dns

# Active resolver
cat /etc/resolv.conf

# Per-interface DNS
networksetup -getdnsservers Wi-Fi
networksetup -getdnsservers Ethernet

Analysis Notes

  • Hosts file tampering: Entries in /etc/hosts that redirect legitimate domains to different IP addresses may indicate malware (redirecting update servers to prevent patching) or C2 infrastructure.
  • DNS server analysis: Identify the configured DNS servers. Common indicators:
    • 8.8.8.8 / 8.8.4.4 — Google Public DNS
    • 1.1.1.1 / 1.0.0.1 — Cloudflare DNS
    • 208.67.222.222 — OpenDNS
    • Corporate IP ranges — Enterprise DNS
    • Unusual or unknown IPs — Potential malicious redirection
  • Search domain context: Search domains reveal network affiliations (e.g., corp.example.com indicates enterprise network).
  • DNS-over-HTTPS: macOS 11+ supports encrypted DNS. Check for DoH/DoT profiles in configuration profiles.
  • Hosts file as blocklist: Large hosts files redirecting many domains to 0.0.0.0 may indicate ad-blocking or privacy tools (Pi-hole exports, etc.).

Tool Support

ToolSupport
macforNot yet implemented (planned)
scutil (macOS built-in)Query DNS configuration
networksetup (macOS built-in)Per-interface DNS settings
dscacheutil (macOS built-in)DNS cache query

References

Previous
Firewall
Next
System Overview