Coronavirus (COVID-19) Information Read here

← Farsight Blog

DNSDB 2.0 Flexible Search is Now Available!

By

RSS

I. Introduction

In August 2020, we first announced our plans for DNSDB 2.0 and the day has arrived! DNSDB®, our flagship passive DNS database, is receiving a huge 2.0 update today with Flexible Search. Additionally, we’ve released new tools to improve the workflows of security professionals everywhere. The new DNSDB 2.0 Flexible Search features and tools are now available to all DNSDB enterprise and trial API key holders at no additional cost.

Flexible Search adds both Regular Expressions and Globbing support to the DNSDB API to expand the types of search queries and add more control to searches. Previously, DNSDB queries could not contain pattern matching values and metacharacters, but Flexible Search bakes these capabilities right in.

As we increasingly rely on online services and introduce more networked devices to our workspaces (especially this year), it becomes easier for bad actors to mask their activities behind seemingly random domain traffic and to commit fraud on larger scales. Flexible Search’s addition to DNSDB enables threat investigators to cover more ground against these growing threats more quickly.

Flexible Search allows for broader queries to be made than before. If you’ve ever wanted to use DNSDB to search for complicated things like domain generation algorithms or enumerated hosts now you can. You can also search for brand names and keywords too, like this:

  • .*rolex.*
  • p(a|o)ypal
  • wel{3,6}sfargo
  • *airpods*
  • *.covid??*
  • *ballot*

The power and utility of being able to search DNSDB with pattern matching capabilities cannot be overstated. It’s simply a must-have for security professionals, threat hunters, and researchers everywhere.

III. Early Adopter Program Recap

Over the last two months, we’ve been hosting an Early Adopter Program for DNSDB 2.0 Flexible Search. We’re pleased to say that everyone involved helped put Flexible Search through its paces and the feedback has been wonderful.

We’re thankful to the individuals and organizations that tried the new features and gave us insight to their threat analysis workflows. Their feedback was instrumental in shaping Flexible Search and confirmed that it’s a tool that security professionals need to have at the ready.

IV. New Documentation

New API Documentation is available for integrators and API clients with custom workflows around DNSDB. The documentation covers the 2.0 API revision as well as all of the new Flexible Search features with examples and use cases.

If you are new to using Regular Expressions and Globbing, or are wondering which one is better for certain situations, we have some guides available too:

V. New Tools

Alongside the new API features come new tools to use them.

dnsdbflex is a sister tool to dnsdbq that uses Flexible Search. Similar to dnsdbq, dnsdbflex is a C program for making Regular Expression and Globbing queries to the DNSDB API – perfect for server-based workflows and automation. The source code for dnsdbflex is available for compilation and contributions.

DNSDB Scout has received an update that adds a new workspace for making Flexible Search queries. This update is available now across both the Mozilla Firefox add-on and Google Chrome extension (which also works in Brave!) as well as the website version.

The update to DNSDB Scout includes an additional “Keyword” syntax for making brand name searches more easily in Flexible Search. Try a keyword like “rolex”, “airpods”, or “peloton” – you might be surprised at what you find.

VI. New Workflows

Flexible Search is an addition to DNSDB, which means there are now two ways to make a DNSDB query: Standard and Flexible. These two searching methods are complementary and can be linked with “pivots”.

Resources and guides on Standard Search pivoting exist, but Flexible Search adds an additional layer of workflow possibilities.

Standard Search is best used for exact or near-exact queries – cases where you already have a FQDN or CIDR range as a starting point for an investigation and need more information. For example, a query for www.farsightsecurity.com or 104.244.14.108/28 will give you matches in that “space” that are tightly related.

Flexible Search is best used for broader queries – things that are fuzzy or have a lot of combinations and permutations. Something like the Regular Expression search for

 .*fars(i|1|l)ghtsecurity.* 

or a Globbing search for a brand name can express a lot of possible domain labels across a wide range of results which may not be directly related.

Results from a Flexible Search query, like the ones seen above, will be exact enough to then input or “pivot” into a Standard Search or to use on their own. Flexible Search is effectively a force multiplier for Standard Search because you can chain them together in combinations, or use one as a lead finder for the other.

Tools like dnsdbflex can help automate Flexible Search queries into Standard Search queries by way of its “batch” output format mode. You can design your own workflow around these two searching methods to fit your needs.

As a rule of thumb, if you see something interesting in Flexible Search then you can drill down to Standard Search for more information – like Counts, First and Last Seen timeframes, and the associated RRNames or full RData. Or, you can use Standard Search and Flexible Search independently depending on the situation.

For more examples and a deeper explanation on Flexible Search pivoting and workflow use-cases please take a look at our new documentation and information on our resources page. If you’ve already developed a pivoting workflow around DNSDB Standard Search don’t worry – it’s not going anywhere.

VII. New Insights

Guides, tutorials, case studies, and presentations using Flexible Search will be showcased on our blog and resources pages. Last month, Dr. Joseph St Sauver presented a showcase on DNSDB 2.0 and discussed many use cases for Flexible Search.

With Flexible Search in-hand we’re confident that security professionals and researchers will be able to perform their work with more speed and depth than before.

VIII. Give it a try!

All DNSDB 2.0 functionality, including Flexible Search, is available for all DNSDB account and Trial API key holders today, free of additional charge. DNSDB Community Edition is limited to Standard Search and does not include Flexible Search.

DNSDB’s 10th anniversary gift to all new customers is a free Enterprise Block Query quota of 10,000 additional queries. You can use these queries in addition to a normal DNSDB account and API key to help supplement intermittent and bursting usage patterns typical for sudden investigations.

For more information about becoming a API trial user or a DNSDB customer to gain access to the full DNSDB 2.0 API please fill out the form on our Order Services page or get in contact with our Sales Team at sales@farsightsecurity.com.

Tyler Wood is a Software Toolmaker with Farsight Security, Inc..