How adversaries are using your DNS data

Find out how much can you learn about a company and their employees simply through DNS data?

Hand on backlit keyboard in dark room, representing analysts monitoring DNS data for network security
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article examines how adversaries can use corporate DNS logs for reconnaissance by analyzing one business day of DNS queries from a single corporate laptop. It demonstrates real-world risks—revealing personally identifiable information, role-specific access, business application usage, and home-life details—that increase attack surface and enable targeted phishing, malware selection, DNS tunneling, lateral movement, and extortion. The piece concludes with practical mitigations: monitor DNS traffic, reduce unnecessary internal exposure, and protect DNS log storage to limit intelligence leakage.

What specific types of sensitive information were discovered in the DNS logs and how could attackers exploit each type?

The analysis revealed multiple sensitive data types: hostnames exposing device owner and company naming conventions (PII) enabling attackers to target specific users and craft OS-specific malware; high query volume indicating a technical or power user, making them a high-value target and a candidate for DNS tunneling; domains tied to business applications like Dropbox, Slack, Office365, and Adobe, which inform attackers about exploitable application vulnerabilities and make phishing more convincing; and domain access to VMware ESXi, GitHub, and AWS suggesting infrastructure/dev roles, guiding lateral-movement and privilege escalation strategies. Personal browsing (e.g., local soccer clubs) can be used for extortion or social-engineering pretexting.

Why does a high proportion of machine-generated DNS queries increase the risk profile of a device?

A high proportion of machine-generated queries—93% in the analyzed laptop—signals automated services, developer or admin tooling, or background integrations, traits common to power users who often have broader system access. Attackers view these devices as attractive targets because successful compromise can expose more valuable resources and credentials. Additionally, the volume and regularity of automated queries create cover for covert techniques like DNS tunneling, where malicious data is exfiltrated or command-and-control traffic is hidden within otherwise expected DNS traffic, making detection and attribution more difficult.

What practical defenses does the article recommend to reduce the risk of DNS-based reconnaissance and exploitation?

The article recommends three primary defenses: first, analyze and monitor DNS traffic to understand what sensitive information is leaking via queries so you can prioritize remediation. Second, minimize internal exposure by reconfiguring systems and naming conventions to avoid embedding PII or descriptive role/device details unless absolutely necessary. Third, safeguard DNS data by securing storage locations with appropriate access controls and protections to prevent adversaries from obtaining logs. Together these steps limit the intelligence available to attackers and reduce avenues for targeted phishing, malware selection, tunneling, and lateral movement.

“Use DNS data for your network security.”

At BlueCat, we’ve said that countless times. In fact, we talk about the security applications a lot. Whether it’s configuring DNSSEC, leveraging DNS response data, or hardening your security posture, there are endless ways to use DNS data for good.

What we don’t talk about enough is how the bad guys use DNS data. The same way security teams learn revealing details about network traffic, adversaries are using DNS for reconnaissance on enterprises and their employees. The intelligence they gather feeds into their cyber attack strategies.

So how much can you learn about a company and their employees simply through DNS data?

We took one business day’s worth of DNS logs from a corporate laptop, analyzed the data, and were surprised by how much we can learn about one person by just looking at their logs.

Here are the five things we discovered, along with how adversaries may use the intelligence we uncovered.

(Personally) Identifiable Information

Finding: There was a recurring character set in all internal DNS queries which contain the device hostname.

hostname example

What would an adversary do? Many organizations use a common naming convention for devices connected to the network. The hostname often includes details like a user’s name, the company name, and the type of hardware. We found all three of these in the queries we looked at. Having this intelligence gives an adversary two advantages. By knowing the naming convention, they can easily direct their attacks to a specific user’s device on the network. All it takes is a quick Google or LinkedIn search to identify a target. Also knowing the type of hardware, such as PC or Mac, means they can choose malware designed for a specific operating system.

Corporate Power User

Finding: There were 7346 DNS queries from this laptop over eight hours. Only 7%, or 517 queries, were user-generated, making the remaining 93%, or 6829 queries, machine-generated. (Keep in mind that the average corporate laptop generates between 4000 to 5000 queries during a workday.)

What would an adversary do? The high quantity of queries from one device indicates a power user or a technical worker. A user like this typically has access to more backend systems than others. The sheer volume of queries makes this user an ideal target, because more queries can mean more valuable data. Especially when the data comes from one source, it’s less work for an adversary. Another advantage is the opportunity for DNS tunneling. Again, the volume of queries creates an ideal environment for the unwanted traffic to get lost in.

The Suite of Business Applications

Finding: A large percentage of external domains queried included common business applications: Dropbox, Slack, Office365, Outlook, and Adobe.

What would an adversary do? A company’s suite of business applications can be very telling. A view into the software used gives bad actors a sense of what vulnerabilities they can exploit.  Keep in mind that those vulnerabilities are unique for each application. When compounded by the volume of applications across an enterprise, the attack surface becomes larger and creates a more complex environment to secure. In a more tactical fashion, an adversary can use this information to design more effective phishing emails. Business applications become trusted names among an organization’s employees. Sending emails that leverage another company’s familiar brand is a social engineering tactic that often works. It’s a reason why phishing emails are still one of the most common delivery methods for malware.

Unofficial Job Description

Finding: A substantial amount of device- and user-generated queries were directed to VMWare ESXi, GitHub, and AWS domains.

What would an adversary do? The combination of these three domains indicates the scope of the user’s work-related responsibilities. We know that ESXi is a tool for managing virtual machines, GitHub is for software development, and AWS is for cloud services. It is likely this user works with infrastructure and development. Chances are they’re a network engineer or in a similar role. Adversaries can glean the type of access this user has, which helps map their infiltration strategy. This insight is particularly valuable as bad actors plan network lateral movement, a common technique for cyber attacks.

Soccer Family in Toronto

Finding: This user browsed many soccer club websites.

What would an adversary do? This is where things get creepy. Since this observation is very personal in nature, it is particularly useful for more vicious bad actors. By analyzing the soccer club sites, we found several soccer club sites were specific to a Toronto neighbourhood, a good indicator of where this user may reside. Most soccer club sites they visited were exclusively for youth soccer, so it’s highly likely they have kids of their own. The most revealing website was one for an Assyrian athletic club for adults, likely indicating the user’s cultural background. Knowing where this user lives, the fact they have a family, and their ethnicity dramatically ups the creepy factor. An adversary can use personal details like this in extortion tactics or threats.

Independently, each of these findings provides a piece of the puzzle. Together they give us, and adversaries, a full picture of who this user is in the corporate setting and at home. As enterprises learn how to better defend against cyber attacks, adversaries are becoming more sophisticated. DNS data, like the logs we analyzed, provide points of personalization that allow for more targeted attacks.

What You Can Do

Network security has become more challenging as environments have become increasingly complex. Here are a few strategies that can protect against bad actors on your network:

  • Look at your DNS traffic and understand what is exposed in your queries
  • Consider configuring internal systems to expose less unless absolutely necessary
  • Safeguard your DNS data, ensure where it’s being stored is properly protected with adequate security measures

Learn more about how BlueCat secures DNS as part of our intelligent security offering.


Published in:


An avatar of the author

Jadecy Kidane is the Marketing Content Manager at BlueCat.

Related content

BlueCat and Cisco graphic stating “Get DDI data from BlueCat in Cisco Cloud Control” for AI-driven network operations

BlueCat DDI data boosts Cisco Cloud Control AI-driven operations

BlueCat’s integration with Cisco Cloud Control provides AI agents with access to trusted DDI data for network investigation and remediation.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more

📣  Now live: Explore BlueCat Horizon, our SaaS-first Intelligent NetOps platform.