Introduction to DNS Changes
By Henry Stern
Farsight Security recently added a new channel to the Security Information Exchange (SIE) called DNS Changes. This channel combines data from Farsight's Passive DNS channels and DNSDB product to find never before-seen DNS Resource Record Sets (RRSet) from a pool of about 30 billion known RRsets in DNSDB. We reduce our ~200,000 message per second passive DNS data to a comfortable rate of ~350 messages per second, low enough that you can do just about any processing that you want without breaking a sweat.
DNS Changes also includes extended information about why a DNS RRSet is new. The message will tell you whether the base domain name, the hostname, the Resource Record Type (RRType), and which of the individual Resource Records in the RRSet is new.
This data is quite interesting from a security practitioner's perspective. Consider the relatively common attack scenario when a domain owner's account is compromised at their registrar or DNS provider. The attacker either adds new hostnames beneath the domain, changes existing resource records, or changes the name server entry for the domain and hijacks it entirely. DNS Changes lets you see these attacks as they happen. DNS Changes alerts you to the new hostname's creation and tells you what part of the response has changed.
You can make use of the extended information in DNS Changes to find threats that would be very difficult any other way. Because the data rate is low and you can see whether or not a hostname previously existed you can track how often a domain name has changed recently. Fast Flux Service Networks are very easy to spot because their records change so frequently.
You can also combine this information with Farsight's DNSDB to see what a changed record was previously. Drop everything whose RRType has been previously seen to find only the changes, filter out records belonging to the major content delivery networks, and you end up with about 20 changes per second. Look up the most recent entry of that type for that hostname in DNSDB and you can watch the Internet change in real time.
You can see suspicious-looking domain names moving around:
name=smupcbphdbfh.lori-amber.us. type=A rdata=220.127.116.11 old_rdata=18.104.22.168 name=137junkkari.ukkomentor.com. type=A rdata=22.214.171.124 old_rdata=126.96.36.199 name=managemen.weeksdegreechoice.com. type=A rdata=188.8.131.52 old_rdata=184.108.40.206
And you can see records at dynamic DNS providers change:
name=midimaniacs.no-ip.org. type=A rdata=220.127.116.11 old_rdata=18.104.22.168
And you can even see changes to the hosting providers of domains as they happen:
name=gentlemarketing.com. type=A rdata=22.214.171.124 old_rdata=126.96.36.199 name=gentlemarketing.com. type=NS rdata=ns1.wppampering.com.,ns2.wppampering.com. old_rdata=ns1.nathanbriggs.com.,ns2.nathanbriggs.com.
With the increase in domain hijacking attacks, Farsight's DNS Changes service is perfectly positioned to detect them in real-time. To learn more about Farsight's DNS Changes and other unique and valuable products we offer, please do not hesitate to contact us.
We look forward to hearing from you.
Henry Stern is a Senior Distributed System Engineer for Farsight Security, Inc.