The DNS service implemented for the whole Internet is very efficient. Using distributed databases and multi-level caching systems, it can handle a very large amount of domains, FQDN, clients and requests. The robustness of DNS is evident.
DNS is a real-time service, you need to resolve a domain name into an IP address to reach a website, you perform the request and very quickly receive an answer, either directly from the cache or through the complete resolution principle. So how can you go back to the past? How to see the variations? How to track the freshness of a domain?
For security reasons you may be interested in having DNS-related information by timeframe, to see the entropy, the deformation, to estimate a risk, perform forensic analysis and potentially take countermeasures in a timely manner.
Passive DNS solution provides a way to view past events and perform a good deal of analysis. Even if It is not a totally accurate solution with 100% coverage, it allows valuable studies to be made.
How does it work?
Passive DNS captures sufficient DNS information for building a timeline. It can be implemented directly in a recursive DNS or analyze raw network traffic using a wire analyzer to extract only the DNS information of value. Generally, the captured traffic is filtered out in order to retain only the following information from query and answer:
- record type (can limit only to A/AAAA, but ideally keep all record types)
- answer content
It is not important to keep track of the client address and can take a large amount of storage. In a specific private environment this may help perform forensic analysis: who has requested what and when.
With only one point of capture, the view is quite partial, so the analysis can be limited. If we multiply the capture points all over the world, we can have very accurate coverage, because analysis involves most kinds of traffic. The Passive DNS offers you may find on the market are using a lot of capture points from various sources, regions and ISPs. The information can be stored in a centralized database, once captured and cleaned, in order to have better accuracy.
How to exploit data?
The more information you have in the database, the finer and richer the analysis you can perform. It can provide valuable details to answer the following questions:
- Is a domain name utilized on the network?: if you do find an entry for a domain or a FQDN, then it exists or has existed. The collected timestamp is important for showing the freshness of the information, like first seen and last seen. If you do not find the information in the database, it may not exist or just has never been requested. Here the amount of DNS traffic seen is important for accuracy.
- What is the freshness of a domain/FQDN?: when was the first occurrence of a DNS request on this FQDN. You will not have its appearance timestamp, but when the first request was made.
- What FQDN is behind an IP address?: since the passive DNS kept the answer of A/AAAA queries, it may provide this reverse search information. This can be different from the PTR record associated with the IP address. This can help performing forensics on a destination address of a traffic seen in a firewall log, or if the origin of an attack is coming from a server hosting specific public services. Some IP addresses are hosting a lot of FQDNs, so there are possibilities for hosting companies providing a PaaS service at very low cost but also some hacking activity, spamming hosting or SEO backlinking farm.
- Has a domain changed from authoritative location?: by analyzing the NS records for a specific domain, you may see if it is moving between DNS authoritative servers. If the NS server is belonging to a registrar, then probably the domain property has changed. A cross-check with a WHOIS database can be interesting in that case.
- Does a FQDN migrate between IP addresses?: this can be linked to a specific hosting on a CDN service or usage of a GSLB service. But this can also be linked to a fast flux, the same domain changing hosting resource very quickly in order not to be filtered by firewalls for example.
- Do domains similar to my brand name exist?: in order to perform a phishing campaign or get some illegitimate traffic, it can be useful to use a domain name which is close to the attacked brand, changing only one letter, inverting 2 letters or using some proximity of letters on the keyboard. Using fuzzy search around the real brand domain name it can be possible to find some similar ones that are clearly targeting such attacks or fraudulent activities and ask the registrar for suppression.
- Auditing my CNAME records: with automation processes it may happen that a CNAME created for a specific usage and pointing to a cloud resource is no longer coherent. To avoid hijacking of the hosting resource and take advantage of the CNAME, passive DNS service can be used to perform regular audits of all the FQDNs using a specific domain name that may have been used for an event, a promotion, or any ephemeral activity.
More information from a very early paper on this passive dns subject by Florian Weimer in 2005: “Passive DNS Replication“.