paint-brush
3 Best DNS History Lookup and Checker Resources for Cybersecurityby@WhoisXMLAPI
12,584 reads
12,584 reads

3 Best DNS History Lookup and Checker Resources for Cybersecurity

by WhoisXML APIApril 24th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

For a long time, there were no practical ways to trace or recount prior Domain Name System (DNS) records in any DNS zone. So when cybersecurity teams were investigating a suspicious IP address, they couldn’t see all of the domain names that it had resolved to in the past. This predicament left many stones unturned.

Company Mentioned

Mention Thumbnail
featured image - 3 Best DNS History Lookup and Checker Resources for Cybersecurity
WhoisXML API HackerNoon profile picture

For a long time, there were no practical ways to trace or recount prior Domain Name System (DNS) records in any DNS zone. So when cybersecurity teams were investigating a suspicious IP address, they couldn’t see all of the domain names that it had resolved to in the past. This predicament left many stones unturned.

Then passive DNS came along, making it possible to dig into the DNS history of IP addresses and domain names connected to them. This intelligence has since become essential in the fight against cybercrime and led to the development of some of the best DNS history lookup resources available on the market today:

  • Reverse IP/DNS Lookup: A DNS history checker that provides quick access to all domain names that have been connected to an IP address along with the relevant timestamps. The report it generates is well-formatted and shareable. Since it is a web-based application, users can readily use it as is.
  • Reverse IP/DNS API: The information that can be retrieved from Reverse IP/DNS Lookup is also available via an API for easy integration for product developers and managers into existing commercial security platforms and in-house software. The API outputs are available in either JSON or XML, with code samples ready for most major programming languages.
  • DNS Database Download: With more than 2 billion hostnames and over 500 billion historic DNS lookups, this massive repository is a handy resource for threat hunting and defense. The database can be downloaded in CSV format and can prove invaluable in enriching threat intelligence platforms and security information and event management (SIEM) systems.

Now that we have introduced these products, let’s look more closely at what they can bring to the table through brief cybersecurity demonstrations.

The Power of Passive DNS for Cybersecurity Illustrated

Consider the scenario where your existing threat intelligence platform (TIP) detects the malicious IP address 5[.]2[.]78[.]19. This IP address is tagged as an indicator of compromise (IoC) associated with a credit card skimmer found on the Tupperware website.

Integrating Reverse IP/DNS API into a threat intelligence platform would enable security teams to see all domains connected to the malicious IP address. For our IoC, the program detected seven domains that resolve to the IP address, including servic-authenticdf[.]ml, mabanquexcvbnpparibas[.]ml, and stuckonyou[.]club. While this doesn’t mean that all connected domains are malicious, it’s worth looking into each of them.

Similarly, DNS Database Download can reveal domains and IP addresses used by threat actors. This information can be fed directly into a domain & IP reputation scoring system to make the products more accurate. Let’s take the domain name fanohuse[.]com, which resolves to the following IP addresses as revealed by DNS Database Download:

All IP addresses are tagged as suspicious on TIP and VirusTotal. Additionally, take note that when you filter the database to show all domains associated with the suspicious IP addresses, another domain name comes into the picture, that is, americaonlineinstantmessenger[.]com.

Why would such an association exist? A possible reason is that while threat actors use sophisticated methodologies and technologies, they often reuse their infrastructure to save on costs. Therefore, it would be logical to warn clients about the domain names associated with IP addresses when developing a domain and IP reputation scoring system. That way, your product can effectively cover all possible attack vectors. Even developers of TIPs and SIEM systems can use the database or its API version to make their products more comprehensive and reliable.

Passive DNS is a powerful resource for cybersecurity. That is why solutions such as Reverse IP/DNS Lookup, its API counterpart, and DNS Database Download may be worth looking into, especially when developing cybersecurity products. In the same way, enterprises that want to enrich their existing security systems can conduct DNS history lookups to establish relationships between domains and IP addresses.