CB Response: How does the Linux sensor perform DNS name resolution?
search cancel

CB Response: How does the Linux sensor perform DNS name resolution?

book

Article ID: 288169

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How does the Linux sensor perform DNS name resolution?

Environment

  • CB Response Sensor: All Linux versions
  • CB Response Server: All versions

Resolution

  1. The kernel captures DNS response packets for active processes, and transfers them to the sensor daemon. 
  2. The daemon then parses the response, and updates its local sensor cache (not to be confused with the OS DNS cache). 
  3. The daemon then performs a reverse lookup in its own cache for each netconn. 

Additional Information

If multiple hostnames are seen associated with a single address, that indicates that some process has performed a lookup for each host and they resolved to that address. 
Powered by Wolken Software