The value of passive DNS
Various organizations run the databases to which Passive DNS “sensors” upload data. One of the most popular and best known is Farsight Security’s Passive DNS database, DNSDB. DNSDB contains data collected over several years by sensors all over the world. Other organizations running Passive DNS databases include the website VirusTotal, now owned by Google; the German consulting company BFK; the Computer Incident Response Center Luxembourg, CIRCL; and Estonia’s Computer Emergency Response Team, CERT-EE.
Queries of Passive DNS databases can yield a wealth of useful information. For example, you could query Passive DNS databases to determine what a DNS query for A records attached to www.infoblox.com returned in April 2012, or what name servers infoblox.com has used since then, or what other zones use that same set of name servers. Perhaps more significant, you could take an IP address you know is malicious and find all the domain names that Passive DNS sensors have recently mapped to that IP address.
Here are some of the many uses of Passive DNS:
- Passive DNS databases allow the near-real-time detection of cache poisoning and fraudulent changes to delegation. An organization could periodically query a Passive DNS database to find what addresses its critical domain names currently map to, according to Passive DNS sensors. Any variation from the mappings in authoritative zone data could be an indication of compromise.
- Farsight Security periodically scrapes the newest domain names from DNSDB. These are domain names that were first seen by sensors in the last 15 minutes, hour, or other interval. It turns out there’s a high correlation between brand-new domain names and malicious activity. New domains are often briefly used in phishing campaigns or the like, then simply discarded. And the cost of temporarily blocking the few legitimate domain names that happen to have appeared in the last 15 minutes is small. Farsight can provide organizations with a feed of these newest domain names, enabling administrators to block their resolution.
- If the Passive DNS database supports fuzzy or Soundex matching, an organization could periodically query that database for domain names that use or sound like its trade names and identify potential infringement.
- Once an IP address or name server is marked as malicious, it’s easy to use a Passive DNS database to identify other domain names that map to that IP address, or other zones hosted by that name server, and may also be malicious.
- By monitoring changes to A and AAAA records and zone NS records over time, it’s easy to identify domain names using techniques such as fast flux to help phishing and malware sites evade detection. Legitimate domain names (except for those used for load balancing and distribution) won’t change their addresses very frequently, and most legitimate zones rarely change their name servers.
Sign up for CIO Asia eNewsletters.