CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

Home » Cyber War » Cyber Security » What is Passive DNS and how do you leverage it in research?

What is Passive DNS and how do you leverage it in research?

Passive DNS has become one of the most powerful tools in the defenders arsenal. The concept was created in 2004 to help mitigate the threat of malware but is now used for that and far more use cases. Passive DNS data can be used to help detect when trojans have infiltrated your system and are trying to call out, can help detect and mitigate covert communications from your infrastructure, can help provide insights into what known bad actors are up to, and, when correlated with other info, provide actionable information on where the next attack against your system will be coming from. It can also help mitigate the threats of “shadow domain” or “typo squatting” or related attacks where an adversary produces a website that is at a similar address to a good organization. Passive DNS also has roles to play in mitigating phishing attacks, especially when integrated with operational enterprise solutions.

The way this works, basically, is a DNS database that can be referenced and correlated with other info. This is a repository of the history of DNS lookups stored in a way that defenders can use to see time stamped information on server to server communications. A key use case of passive DNS data is to take an IP address known to be malicious and then find all the domain names that Passive DNS sensors have mapped to that IP address. This can help identify who is infected with malware and help identify who is benefiting from the malware.

Passive DNS also helps enable near real time detection of fraudulent changes to the DNS system, including attacks like cache poisoning. And it can enable solutions that help identify newly registered domains (which have a higher likelihood of being used for fraud. Passive DNS can also contribute to solutions that thwart domain infringement or copycat fraud. It is also a great way to identify other sites and servers being used by malicious actors and can help identify and bring down infrastructure that supports phishing attacks.

The basic Passive DNS architecture is a replication technique where inter-server DNS messages are captured by sensors. When a computer asks a recursive DNS server for a lookup, it will check its own cache but also frequently checks with the root name servers to make sure it knows who holds the data for the domain (in the graphic example below, the .com name server). After finding out who is responsible for the domain needed it puts the computer requester in contact with it. Passive DNS collection with well placed collection sensors sees this traffic:

passive-dns

 

One of the most powerful analyst tools leveraging Passive DNS capabilities is PassiveTotal.org They describe Passive DNS as:

A system of record that stores DNS resolution data for a given location, record and time period. To best understand passive DNS, one must first understand how DNS works and the value it brings to Internet users. A good way to think about DNS is to look at the contacts application on your mobile phone. Rather than remeber your friends cell phone number, you can simply assign it to a contact name and use that to place any calls. DNS works like a contact application for the Internet. Instead of having to remember IP addresses for all the websites you wish to access, DNS makes them available using domain names which are arguably easier to remember and less likely to change.

As an example, lets take passivetotal.org. At the time of writing this page, if we query passivetotal.org, we will be returned back the IP address of 45.55.77.126. In DNS, this is known as an “A” record and is one of many different record types including, but not limited to AAAA (IPv6), MX (mail), NS (nameserver), and TXT (text). Each record type is used for a different purpose and in theory, could be stored within a passive DNS database.

We will provide more info on how to tap into this type of data for your own analysis in the next post in this series.

Find more reports at:

 

Track the most disruptive technologies by diving into our categorized index:

Artificial Intelligence Companies – A fast overview of Artificial Intelligence companies we believe are poised to cause the most positive disruption in the enterprise.

Big Data Companies – Reference to the greatest, most disruptive Big Data companies in the tech ecosystem.

Business Intelligence Companies – We assess these to be the Business Intelligence Companies most impactful for delivering real decision advantage.

Cybersecurity Companies – We apply our deep expertise in cybersecurity to assessing the best across multiple categories including:

Cloud Computing Companies – We include both platform and software as a service providers, capturing only the most innovative and disruptive.

Collaborative Tool Companies – These are the firms that help humans connect to humans to create, manage and lead.

Infrastructure Companies – Critical enterprise foundations for business agility.

IoT Companies – Internet of Things and Industrial Internet of Things are here. How do you manage them?

Mobile Companies – Help manage, configure, secure and optimize these very powerful capabilities.

Robotics Companies – Including innovations in Robotic Process Automation, Drones, and industrial robotics.

Services Companies – We only track a few, the ones we really know well.

Tech Titans – These are the big players. We track the tech titans closely since their capabilities change continuously.

VC, PE and Finance Companies – Keeping an eye on the investors can give indications of coming developments.

You can also use our topical pages to get up to speed quickly on the current status of the major megatrends. See our pages on Cloud ComputingArtificial IntelligenceMobilityBig DataRoboticsInternet of ThingsCybersecurity and Blockchain and Cryptocurrencies.

We also provide special pages focused on high interest topics, including Science FictionEntertainmentCyber WarTech CareersTraining and Education and Tech Tips.

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Gain Decision Advantage With Innovative Enterprise Software

For over 10 years CTOvision has consistently provided strategic context on the nature of technology and how to best leverage it for your personal and business objectives.  We maintain the site in a way meant to help you find insights you need as fast as possible. To kick off a search use the search box […]

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

Mitigating Advanced Threats with Scalable and Automated Malware Analysis: An interview of Chad Loeven and Mike Hylton

Mitigating Advanced Threats with Scalable and Automated Malware Analysis: An interview of Chad Loeven and Mike Hylton Scalable automated malware analysis has become a critical component of enterprise defense. When properly implemented it can be key to mitigating malware threats that otherwise bypass perimeter defenses. In this post we provide context enterprise architects and security […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

More Content

Cyber War

SciFi

Science Fiction Gadgets You Can Get Today

Technology is advancing pretty fast, at times influenced by the exciting world of Science Fiction. This video captures 10 of the tech developments first seen in SciFi that are available now. A key point of this, if you want to know what is in our future, watch more SciFi!  

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]