student@hack3rs:~$ cat dns-triage-lab-beginner.md
DNS Triage Lab for Beginners (White-Hat, Defensive Workflow)
Practice a safe DNS investigation workflow: observe normal DNS behavior, identify suspicious patterns, collect evidence, and document conclusions without overclaiming.
prerequisites
- $Use only systems and networks you own or are explicitly authorized to test.
- $Basic familiarity with networking and logs.
- $Willingness to document evidence and assumptions.
1. Lab Goal and Safe Scope
This lab runs in an authorized environment you control — your own VMs, a sample pcap, or test DNS logs. The goal is to compare normal resolver behavior with something suspicious and decide what evidence to collect next.
Do not capture traffic from systems you do not own or explicitly control. If you are using a school or work network, check that you have permission before running any captures.
Before you start, write down what you expect to see. This is not busywork — if the result surprises you, the gap between your hypothesis and what you got is what you actually learned.
2. Evidence Collection Workflow
Collect a short packet capture or DNS log during normal browsing or update activity. Note the resolver IPs, the common domains queried, typical query frequency, and whether responses come back clean. That sample is your baseline.
Then introduce one controlled variation — repeated lookups of the same domain, a typo domain, or a forced NXDOMAIN — and compare what changes. Look at timing, query names, NXDOMAIN rates, and which host generated the traffic.
If something looks suspicious, correlate with host logs and process context before drawing conclusions. DNS alone points in a direction; it rarely proves intent or impact by itself.
3. What to Write Down
Log timestamps, source host, resolver IP, query names, and any repeated patterns. Write what is observed separately from what is inferred. Mixing the two is the most common mistake in analyst notes and the hardest habit to unlearn later.
End the exercise with a short triage note: hypothesis, evidence checked, confidence level, and next action. The options are usually: close the lead, monitor for recurrence, capture more data, or investigate the host and process context further.
Run the same lab a few more times with different variations. Normal DNS behavior varies more than most beginners expect across different OS versions, browsers, and update services.
dns-lab-checklist
- $Collect a short, authorized DNS sample from your own lab environment.
- $Record baseline resolver IP, common query names, and typical response behavior.
- $Introduce one controlled variation and note what changes.
- $Correlate any suspicious DNS patterns with host or process logs before concluding.
- $Write a triage note with confidence level and a clear next action.
how-to-workflow
- Define your hypothesis and what normal DNS behavior should look like in your lab.
- Collect a short authorized DNS packet capture or DNS log sample.
- Record resolver, source host, common query names, and baseline behavior.
- Introduce one controlled variation and compare timing, query names, and response behavior.
- Correlate suspicious DNS observations with host/process context before concluding.
- Write a short triage note with confidence level and next action.