Threat Hunting Using DNS: A Masterclass with Paul Vixie and Ben April: May 1st, 2019 12-6 p.m. ET Hyatt Regency Tyson's Corner Center, VA - Space is limited. Register today!

DNS Changes channel monitors DNS and alerts of attacks

The Security Challenge

Cybercriminals change DNS records to hijack domains and redirect traffic to malicious websites

The Internet and the Domain Name System (DNS) are continually changing; domains are constantly created and existing ones are frequently modified. Cybercriminals change DNS records to hijack domains and redirect traffic to malicious websites.

The redirected traffic bypasses their hosts leaving organizations unaware that traffic is being diverted. This leaves businesses and customers at great risk.

The Farsight Solution

DNS Changes channel

provides real-time visibility into changes made to DNS.

Whenever a new domain is created or a domain’s configuration changes, the DNS Changes channel highlights that change in real-time. This lets organizations easily monitor their DNS worldwide and alert on unauthorized changes due to operational accidents — or an attack.

The data is collected from the Farsight global DNS sensor array. The DNS Changes channel contains more than 200,000 observations per second to provide a holistic view of all DNS changes including:

  • Hostnames - also known as fully qualified domain names (FQDNs)
  • Name servers
  • DNSSEC records
“Farsight’s DNS Changes is the authoritative source of changes in Internet infrastructure.”

Chief Scientist
Security Company

Request demo

How Does It Work?

DNS Changes Identifies Domain Hijacking

DNS Changes scheme

A resource record (RR) is a single DNS record.
A resource record set (RRset) consists of all the resource records of a given type for a given rrname.

When the DNS Changes channel detects a never-before-seen RRset, it publishes that RRset to Channel 214 on SIE. It also annotates novel information about each RRset. These include individual RRs that have not been seen before and whether the RRset has changed from those previously seen for a Fully Qualified Domain Name (FQDN).

Data is presented as a time-stamped RRset, providing full context for observed changes as well as critical information for security investigators and operational change management.

The DNS Changes channel is provided on the Farsight Security Information Exchange (SIE) platform.

It reports on global changes when existing domains purposely, inadvertently or maliciously:

  • Move to a new IP address
  • Use different name servers
  • Use a new mail exchange
  • Start using IPv6 or DNSSEC

Case study

ThreatConnect case study
ThreatConnect, Inc. Case Study

ThreatConnect used Farsight Security's DNSDB™ to investigate Anthem breach-related activity.

Download
Red Canary case study
Red Canary, Inc. Case Study

Red Canary uses Farsight Newly Observed Domain (NOD) to enrich and confirm their findings during an investigation.

Download

Resources

From the blog

Want to learn more?

Protect against cybercriminal activity in real-time.

Request a free demo