8 Common DNSDB "Pivots" for Threat Hunting

← Blog Home

RSS

By

Introduction

A fundamental passive DNS skill used in threat hunting is the ability to go from a starting indicator (such as a IP address or domain name) to other potentially related resources. This process is normally referred to as "pivoting."

In this blog article, we'll discuss eight common passive DNS pivots that most cybersecurity analysts have in their "bag of tricks."

We'll include an example for each pivot, running those examples using Farsight's dnsdbq command line interface client. If you'd like to try Farsight DNSDB, you can sign up for a free trial here.

Pivot I: FQDN –> IPs

If you've got a fully qualified domain name (FQDN), the natural thing to do is to see what IP address it resolves to. If you don't have access to passive DNS, you can use dig to resolve a name manually:

$ dig www.farsightsecurity.com A +short
104.244.13.104

The passive DNS equivalent of that is:

$ dnsdbq -r www.farsightsecurity.com/A -S
;; record times: 2015-04-01 13:07:24 .. 2018-04-13 22:15:51
;; count: 46179; bailiwick: farsightsecurity.com.
www.farsightsecurity.com.  A 104.244.13.104

;; record times: 2013-09-25 20:02:10 .. 2015-04-01 09:51:39
;; count: 5059; bailiwick: farsightsecurity.com.
www.farsightsecurity.com.  A 66.160.140.81

;; record times: 2013-07-01 17:37:26 .. 2013-09-24 17:14:08
;; count: 164; bailiwick: farsightsecurity.com.
www.farsightsecurity.com.  A 149.20.4.207

Note that we get information for how that domain name resolves NOW, but we can ALSO see how that name resolved over time.

We can also go from a domain name to an IPv6 address:

$ dig www.farsightsecurity.com AAAA +short
2620:11c:f004::104

The passive DNS equivalent of that domain name to IPv6 address is:

$ dnsdbq -r www.farsightsecurity.com/AAAA -S
;; record times: 2015-04-09 13:31:11 .. 2018-04-13 17:56:46
;; count: 16750; bailiwick: farsightsecurity.com.
www.farsightsecurity.com.  AAAA 2620:11c:f004::104

;; record times: 2013-09-30 01:06:34 .. 2015-03-31 19:40:14
;; count: 651; bailiwick: farsightsecurity.com.
www.farsightsecurity.com.  AAAA 2001:470:b0::81

;; record times: 2013-07-01 17:37:25 .. 2013-09-20 15:07:54
;; count: 46; bailiwick: farsightsecurity.com.
www.farsightsecurity.com.  AAAA 2001:4f8:1:66::207

Pivot II: IP –> Domain names

If we have an IP address, either as starting original "clue" or as output from another pivot, we can resolve the IP to a domain name. If you don't have passive DNS access, you can check to see if an inverse address ("in-addr" or "PTR" record) exists:

$ dig -x 104.244.13.104 +short
archive.farsightsecurity.com.

If you don't routinely work with DNS, you may be surprised to see that while

www.farsightsecurity.com --> 104.244.13.104
	
104.244.13.104 --> archive.farsightsecurity.com. 

(and not www.farsightsecurity.com)

Let's see what unique names DNSDB shows as living on that IP address (we'll use grep to drop blank lines and comments):

$ dnsdbq -i 104.244.13.104 | grep -v ";;" | grep -v "^$" | sort -u
archive.farsightsecurity.com.  A  104.244.13.104
farsighsecurity.com. A 104.244.13.104
farsightsecurity.com. A 104.244.13.104
fastrpz.com. A 104.244.13.104
fsi.io. A 104.244.13.104
olddocs.fsi.io. A 104.244.13.104
www.farsighsecurity.com. A 104.244.13.104
www.farsightsecurity.com. A 104.244.13.104
www.fastrpz.com. A 104.244.13.104
www.fsi.io. A 104.244.13.104

Passive DNS obviously tells us a lot more about what's been seen on that IP address than "regular DNS" can! In some cases, you may find hundreds or even thousands of domains on just a single IP!

Pivot III: IP Address Range –> Domain names

Sometimes an entity of interest may have been given more than one IP to use. If we're looking for related domains, it can be helpful to check out the entire encompassing netblock.

Continuing to use Farsight's own address space for this example, let's check DNSDB to see what domain names have been seen using the 104.244.13.100 to 104.244.13.110 address range in the last week:

dnsdbq -i 104.244.13.100-104.244.13.110 -A7d | grep -v ";;" | grep -v "^$" | sort -u
archive.farsightsecurity.com. A 104.244.13.104
dl.farsightsecurity.com. A 104.244.13.105
dnsrpz.info. A 104.244.13.106
farsightsecurity.com. A 104.244.13.104
fastrpz.com. A 104.244.13.104
fsi.io. A 104.244.13.104
web1.pao1.fsi.io. A 104.244.13.108
www-dyn.farsightsecurity.com. A 104.244.13.107
www.farsighsecurity.com. A 104.244.13.104
www.farsightsecurity.com. A 104.244.13.104
www.fsi.io. A 104.244.13.104

While we specified an arbitrary network address range in this example, we could also have specified an IPv4 CIDR netblock or an IPv6 CIDR netblock instead.

This ability to get domain names associated with an IP address range is a very powerful passive DNS capability!

Important caveat: When looking at the hostnames "found" within an IP address range, note that any domain name owner can point one of their hostnames "at" any IP address of their choice. This can include IP addresses that don't belong to them. The fact that they've done this doesn't necessarily mean that there's anything actually related to that hostname at that IP! Interpret your output skeptically.

Pivot IV: *.domain –> Domain names

Sometimes you may know a base domain name, but you may not know the hostnames below that domain name. Fortunately, passive DNS can help:

$ dnsdbq -r \*.farsightsecurity.com -A7d | grep -v ";;" | grep -v "^$" | \
awk '{print $1}' | sort -u
archive.farsightsecurity.com.
back.farsightsecurity.com.
dl.farsightsecurity.com.
farsightsecurity.com.
front.farsightsecurity.com.
info.farsightsecurity.com.
lists.farsightsecurity.com.
my.farsightsecurity.com.
support.farsightsecurity.com.
www-dyn.farsightsecurity.com.
www.farsightsecurity.com.

Pivot V: Domain –> nameservers, then find other domains using the same nameservers

Another way to discover associated domains is to look at shared name servers. For example, pretend that we're curious about Smithsonian Institution-related domains. Starting with the Smithsonian's primary domain, si.edu, we check to see their current nameservers:

$ dnsdbq -r si.edu/NS -S -l 1 | grep -v ";;"
si.edu.  NS  si-names1.si.edu.
si.edu.  NS  si-names2.si.edu.

Decoding the new parameters used in that line: -S means "sort descending by time", and -l 1 means "limit to just one observation." Combined, this means "show me just the most recent observation."

Armed with that knowledge, we can then look to see what other domains also use one of those names servers:

$ dnsdbq -n SI-NAMES1.si.edu/NS | grep -v ";;" | grep -v "^$" | \
awk '{print $1}' | sort -u
111.160.in-addr.arpa.
21cmcosmology.org.
21stmuseum.com.
21stmuseum.info.
21stmuseum.mobi.
21stmuseum.net.
21stmuseum.org.
3d-smithsonian.com.
3d-smithsonian.net.
3d-smithsonian.org.
3dsmithsonian.com.
[* * *]
zoogoer.org.

In this case we found 315 domains in all!

Pivot VI: Domain –> MX record, then search the right hand side ("rdata") for other matching values

We can determine that smtp.uoregon.edu is the mail exchanger for the uoregon.edu domain:

$ dnsdbq -r uoregon.edu/MX | grep -v ";;"
uoregon.edu.  MX  0 smtp.uoregon.edu.

Armed with that knowledge, are there any other domains that also use smtp.uoregon.edu as their mail exchanger? Let's check DNSDB rdata for matches (note the -n instead of the -r in the following command):

$ dnsdbq -n smtp.uoregon.edu/MX -l 1000000 | grep -v ";;" | grep -v "^$" | awk '{print $1}' | sort -u
aaa.uoregon.edu.
competitionnotconflict.com.
competitionnotconflict.org.
daisy.uoregon.edu.
darkwing.uoregon.edu.
dibels.uoregon.edu.
donald.uoregon.edu.
faraday.uoregon.edu.
gladstone.uoregon.edu.
greennano.org.
image.uoregon.edu.
imap.uoregon.edu.
jcomm.uoregon.edu.
jwj.uoregon.edu.
law.uoregon.edu.
lcbmail.uoregon.edu.
math.uoregon.edu.
molbio.uoregon.edu.
network-services.uoregon.edu.
oemba.uoregon.edu.
orcis.uoregon.edu.
oregon.uoregon.edu.
pop.uoregon.edu.
rowell.uoregon.edu.
safernano.com.
smtp.uoregon.edu.
sojc-jsites1.uoregon.edu.
uoduckstore.com.
uoregon.edu.
virt-www.uoregon.edu.
www.uoregon.edu.

Pivot VII: FQDN –> CNAME record, then search the right hand side ("rdata") for other matching values

CNAME records are also often productive pivot targets. For example, assume we're looking at www.uoregon.edu, and notice that that name is CNAME'd to another name:

$ dnsdbq -r www.uoregon.edu -A 7d | grep -v";;"  
www.uoregon.edu.  CNAME  drupal-cluster5.uoregon.edu

We can then check to see what other hosts are also connected to that same CNAME target:

$ dnsdbq -n drupal-cluster5.uoregon.edu/CNAME -l 1000000 | grep -v ";;" | grep -v "^$" | awk '{print $1}' | sort -u
economicimpact.uoregon.edu.
m.uoregon.edu.
www.uoregon.edu.
www1.uoregon.edu.
www2.uoregon.edu.

Note: Not really a "pivot" per se, but if we notice a name ending in a small integer value, it will often be helpful to also check other small integer value permutations of that name. That is, having seen drupal-cluster5.uoregon.edu, we'd probably also investigate drupal-cluster1.uoregon.edu, drupal-cluster2.uoregon.edu, drupal-cluster3.uoregon.edu, drupal-cluster4.uoregon.edu etc.

Pivot VIII: [hostname].* –> find specified hostname in other TLDs

We may be interested in seeing if "variant" names exist in other TLDs with the same starting label as a primary domain. For example, we all are familiar with www.paypal.com, but are there "other" www.paypal domains in different TLDs? I bet there will be. Let's check, limiting the output to just the last 48 hours. [Note: this query will take longer to return results than the previous queries.]

$ time dnsdbq -r www.paypal.* -A48h | grep -v ";;" | grep -v "^$" | awk '{print $1}' | sort -u > www.paypal.txt

real	2m42.167s
[...]

That command finds 254 hits, including:

www.paypal.ad.
www.paypal.am.
www.paypal.at.
www.paypal.be.
www.paypal.bg.
www.paypal.bt.
www.paypal.ca.
www.paypal.ch.
www.paypal.cm.
www.paypal.cn.
www.paypal.co.
www.paypal.co.il.
[etc]

Conclusion

We hope you've found this summary of eight common DNSDB "pivots" to be helpful and instructive. DNSDB truly has the ability to take a small starting "clue" and amplify that tremendously. It is a very powerful and useful tool for cybersecurity analysts. Why don't you check it out today?

Joe St Sauver Ph.D. is a Distinguished Scientist with Farsight Security, Inc.


← Blog Home

Want to learn more?

Protect against cybercriminal activity in real-time.

Request a free demo