Passive DNS has become one of the most powerful tools in the defenders arsenal. The concept was created in 2004 to help mitigate the threat of malware but is now used for that and far more use cases. Passive DNS data can be used to help detect when trojans have infiltrated your system and are trying to call out, can help detect and mitigate covert communications from your infrastructure, can help provide insights into what known bad actors are up to, and, when correlated with other info, provide actionable information on where the next attack against your system will be coming from. It can also help mitigate the threats of “shadow domain” or “typo squatting” or related attacks where an adversary produces a website that is at a similar address to a good organization. Passive DNS also has roles to play in mitigating phishing attacks, especially when integrated with operational enterprise solutions.
The way this works, basically, is a DNS database that can be referenced and correlated with other info. This is a repository of the history of DNS lookups stored in a way that defenders can use to see time stamped information on server to server communications. A key use case of passive DNS data is to take an IP address known to be malicious and then find all the domain names that Passive DNS sensors have mapped to that IP address. This can help identify who is infected with malware and help identify who is benefiting from the malware.
Passive DNS also helps enable near real time detection of fraudulent changes to the DNS system, including attacks like cache poisoning. And it can enable solutions that help identify newly registered domains (which have a higher likelihood of being used for fraud. Passive DNS can also contribute to solutions that thwart domain infringement or copycat fraud. It is also a great way to identify other sites and servers being used by malicious actors and can help identify and bring down infrastructure that supports phishing attacks.
The basic Passive DNS architecture is a replication technique where inter-server DNS messages are captured by sensors. When a computer asks a recursive DNS server for a lookup, it will check its own cache but also frequently checks with the root name servers to make sure it knows who holds the data for the domain (in the graphic example below, the .com name server). After finding out who is responsible for the domain needed it puts the computer requester in contact with it. Passive DNS collection with well placed collection sensors sees this traffic:
One of the most powerful analyst tools leveraging Passive DNS capabilities is PassiveTotal.org They describe Passive DNS as:
A system of record that stores DNS resolution data for a given location, record and time period. To best understand passive DNS, one must first understand how DNS works and the value it brings to Internet users. A good way to think about DNS is to look at the contacts application on your mobile phone. Rather than remeber your friends cell phone number, you can simply assign it to a contact name and use that to place any calls. DNS works like a contact application for the Internet. Instead of having to remember IP addresses for all the websites you wish to access, DNS makes them available using domain names which are arguably easier to remember and less likely to change.
As an example, lets take passivetotal.org. At the time of writing this page, if we query passivetotal.org, we will be returned back the IP address of 184.108.40.206. In DNS, this is known as an “A” record and is one of many different record types including, but not limited to AAAA (IPv6), MX (mail), NS (nameserver), and TXT (text). Each record type is used for a different purpose and in theory, could be stored within a passive DNS database.
We will provide more info on how to tap into this type of data for your own analysis in the next post in this series.
Find more reports at:
- CTOvision Assessment On The Megatrend of Cloud Computing
- CTOvision Assessment On The Megatrend of Artificial Intelligence
- CTOvision Assessment On The Megatrend of Mobility
- CTOvision Assessment On The Megatrend of Bigdata
- CTOvision Assessment On The Megatrend of Robotics
- CTOvision Assessment On The Megatrend of the Internet of Things
- CTOvision Assessment On The Megatrend of Cybersecurity
- CTOvision Pro Members Only
- An OODAcast Conversation with Dr. David Bray of the Atlantic Council Geotech Center (Part One) - April 3, 2020
- OODAcast– A Conversation with Dan Gerstein - April 1, 2020
- Update on The End Coronavirus Project and Need for Volunteers - March 28, 2020