This is not a proper research yet. I just happened to stumble upon an interesting artifact which is a file:<\/p>\n\n\n\n
C:\\Windows\\System32\\dns\\RFC5011.csv<\/pre>\n\n\n\nthat dns.exe<\/em> service process tries to read. <\/p>\n\n\n\n
This csv file appears to be related to DNSSEC, but I don’t know enough about it, plus have not spent enough time analyzing the actual dns.exe<\/em> binary to determine the csv file’s purpose and layout yet. <\/p>\n\n\n\n
BUT<\/p>\n\n\n\n
The code reading this CSV file refers to TrustAnchor<\/em> and TrustPoint<\/em> strings so it’s possible the program is using the content of the file to import a set of trusted public keys utilized by DNSSEC. Which of course could be abused.<\/p>\n\n\n\n
After poking around a bit more, I have created a list of file system-based artifacts that the DNS-related executables and libraries (c:\\Windows\\System32\\dns.exe, c:\\Windows\\System32\\dnscmd.exe, c:\\Windows\\System32\\dnsmgr.dll) touch:<\/p>\n\n\n\n
\n
- C:\\Windows\\System32\\dns\\backup\\boot<\/li>\n\n\n\n
- C:\\Windows\\System32\\dns\\backup\\boot.first<\/li>\n\n\n\n
- C:\\Windows\\System32\\dns\\backup\\dns.log<\/li>\n\n\n\n
- C:\\Windows\\System32\\dns\\boot<\/li>\n\n\n\n
- C:\\Windows\\System32\\dns\\boot.txt<\/li>\n\n\n\n
- C:\\Windows\\System32\\dns\\boot.write.error<\/li>\n\n\n\n
- C:\\Windows\\System32\\dns\\dns.log<\/li>\n\n\n\n
- C:\\Windows\\System32\\dns\\RFC5011.csv<\/li>\n\n\n\n
- C:\\Windows\\System32\\dns\\TrustAnchors.dns<\/li>\n<\/ul>\n\n\n\n
This is really not very useful yet, but it is a good starting point to dig deeper.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is not a proper research yet. I just happened to stumble upon an interesting artifact which is a file: C:\\Windows\\System32\\dns\\RFC5011.csv that dns.exe service process tries to read. This csv file appears to be related to DNSSEC, but I don’t … Continue reading