student@hack3rs:~$ cat dns-triage-lab-beginner.md
DNS Triage Lab for Beginners (White-Hat, Defensive Workflow)
Practice a safe DNS investigation workflow: observe normal DNS behavior, identify suspicious patterns, collect evidence, and document conclusions without overclaiming.
prerequisites
- $Use only systems and networks you own or are explicitly authorized to test.
- $Basic familiarity with networking and logs.
- $Willingness to document evidence and assumptions.
1. Lab Goal and Safe Scope
This lab teaches DNS triage in an authorized environment you control. The goal is to learn how to compare normal resolver/query behavior with suspicious-looking activity and decide what evidence to collect next.
Use your own lab VM, sample PCAPs, or test DNS logs. Do not test or capture traffic from third-party systems without authorization.
Start by writing a short hypothesis: what do you think you will observe, what would look normal, and what would make you investigate further.
2. Evidence Collection Workflow
Collect a short packet capture or DNS log sample during normal browsing/update activity. Note resolver IPs, common domains, query frequency, and response behavior. This becomes your baseline.
Then introduce a controlled variation in the lab (for example repeated lookups, a typo domain, or failed resolution) and compare what changes. Focus on timing, query names, NXDOMAIN rates, and which host generated the queries.
If something looks suspicious, correlate with host logs and process context before concluding. DNS alone often indicates direction, not final proof of malicious behavior.
3. What to Write Down
Record timestamps, source host, resolver, query names, and any repeated patterns. Write what is observed versus what is inferred. This is the habit that turns tool output into usable defensive notes.
End the lab with a short analyst note: hypothesis, evidence checked, confidence level, and next action (close, monitor, capture more data, or investigate host/process context).
Repeat the lab with different variations over time so you learn how much normal DNS behavior can vary across systems and environments.
dns-lab-checklist
- $Capture or collect a short authorized DNS sample.
- $Document baseline resolver behavior and common query patterns.
- $Introduce one controlled variation and compare results.
- $Correlate suspicious DNS findings with host/process evidence.
- $Write a short triage note with confidence and next step.
how-to-workflow
- Define your hypothesis and what normal DNS behavior should look like in your lab.
- Collect a short authorized DNS packet capture or DNS log sample.
- Record resolver, source host, common query names, and baseline behavior.
- Introduce one controlled variation and compare timing, query names, and response behavior.
- Correlate suspicious DNS observations with host/process context before concluding.
- Write a short triage note with confidence level and next action.