Contents

How to List DNS Resolvers Across All Mac and Linux Devices

Using Kolide, you can easily view and query DNS Resolvers across your fleet.

Introduction

DNS is the system by which names (like kolide.com) are translated into IP addresses. DNS resolvers specify which DNS server should be used for different network addresses. Organizations may want to specify different DNS resolvers to resolve domain names that may be hosted behind a VPN or otherwise resolvable by public internet DNS servers.

What DNS Resolver Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect DNS Resolvers from Mac and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

DNS Resolvers Schema

Column	Type	Description
id	Primary Key	Unique identifier for the object
device_id	Foreign Key	Device associated with the entry
device_name	Text	Display name of the device associated with the entry
address	Text	Resolver IP/IPv6 address
netmask	Text	Address netmask length. When using sortlist, this might look something like `sortlist 192.168.1.0/24 10.0.0.0/16`, where 192.168.1.0/24 and 10.0.0.0/16 are the network address/netmask pairs.
options	Text	The binary representaion that is the bit mask containing the bitwise "OR" of the options enabled. Run `man resolver` for a list of resolver options
resolver_order	Integer	Address type index or order
resolver_type	Enum::Text	The type of DNS resolver Can be one of the following: `nameserver` - Server that the system should use for domain name resolution `sortlist` - Used to move matching IP addresses in DNS responses to the front of the result list with the intention that applications will use them preferentially `search` - A list of domains to be appended to hostnames that are not fully qualified, in order to resolve them into IP addresses
collected_at	Timestamp	Time the row of data was first collected in the database
updated_at	Timestamp	Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

List public DNS nameservers used by the host

Kolide SQL

SELECT *
FROM device_dns_resolvers
WHERE NOT (
    address::inet <<= '192.168.0.0/16' OR
    address::inet <<= '10.0.0.0/8' OR
    address::inet <<= '127.0.0.0/8' OR
    address::inet <<= '172.16.0.0/12'
) AND device_dns_resolvers.resolver_type = 'nameserver';

Example Results

id	address	netmask	options	device_id	updated_at	device_name	collected_at	resolver_type	resolver_order
3	8.8.8.8	32	11011000001	2	2023-12-17T00:26:39.906Z	Jasons-MacBook-Pro-2	2023-12-17T00:26:39.906Z	nameserver	0

Why Should I Collect DNS Resolvers?

Collecting DNS resolvers can help IT administrators ensure that computers are correctly configured to successfully access internal or otherwise non-public resources, such as company IRC, database or git servers.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

DNS resolvers are unlikely to contain personal information, unless you have a unique DNS resolver setup for personal or private reasons.

When you use Kolide to list DNS Resolver data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.