Passive DNS

Simply put, passive DNS is a system of record that stores DNS resolution data for a given location, record and time period. To best understand passive DNS, one must first understand how DNS works and the value it brings to Internet users. A good way to think about DNS is to look at the contacts application on your mobile phone. Rather than remember your friends cell phone number, you can simply assign it to a contact name and use that to place any calls. DNS works like a contact application for the Internet. Instead of having to remember IP addresses for all the websites you wish to access, DNS makes them available using domain names which are arguably easier to remember and less likely to change.

As an example, lets take passivetotal.org. At the time of writing this page, if we query passivetotal.org, we will be returned back the IP address of 45.55.77.126. In DNS, this is known as an "A" record and is one of many different record types including, but not limited to AAAA (IPv6), MX (mail), NS (nameserver), and TXT (text). Each record type is used for a different purpose and in theory, could be stored within a passive DNS database.

In order to collect this DNS information, a sensor is typically installed on the local network and setup to recieve DNS requests as they happen. It's worth noting that the sensor will only record DNS traffic that occurs on the local network, and not for the entire Internet. However, programs like RiskIQ's DNSIQ™ allow organizations to install a sensor on their network that reports back to RiskIQ and in exchange, the organization gains access to all the passive DNS traffic inside the central repository.

So why do we need a database of this data? Doesn't DNS keep track of changes? Yes and no. DNS records can and will change often, but there's no centralized historical repository. In fact, once a change has been made to a DNS record, it will propograte across the Internet and the previous record will be gone forever. Imagine you get a breach notification for your network. Listed in the notifcation is a domain name and time period. The first logical question may be to ask what IP address that domain was pointing to at the time of the breach and if any other domains were pointing there too. Without a historical repository, how would you answer that question? Answer, you couldn't.

Keeping this data inside of a database gives analysts insight as to how a particular domain names changes over time and provides a way to identify other related domains/IP addresses. Going back to the breach notification example, an analyst could take the domain, search for it within passive DNS and identify the history of IP addresses it resolved to over time. Those IP addresses could then be queried as well to find more domains that may be related to the larger attack.

results matching ""

    No results matching ""