eBook Now Available: Using Farsight Passive DNS for Incident Response - Download now!

← Farsight Blog

Farsight Security Introduces Faster, More Advanced Search Capabilities for DNSDB

By

RSS

Sometimes it only takes one look-alike domain name to instigate the penetration of an entire network. Investigators now have additional choices for analyzing suspicious domain names and IP addresses with enhanced DNSDB search options.

According to the 2019 Verizon DBIR, the gap between compromise and detection remains wide – more than half of the breaches took months to discover. Abusing the Domain Name System (DNS) is one way cybercriminals remain stealth. For example, they will buy, use, and discard thousands of domain names for their malicious campaigns. They also “hide in plain sight” by sharing DNS-assets used by other bad guys.

Farsight Security DNSDB®, the world’s largest historical Passive DNS database, is used by Fortune 500 and government agency security teams around the world to uncover shared malicious infrastructure and gain new insights on today’s threats. The breadth of our geographical coverage, wide range of DNS records and high performing, scalable infrastructure has made DNSDB the leading passive DNS solution. Yet since a single query to the database can deliver up to a million responses or more, investigators needed the ability to access information specific to their incident more quickly and easily.

What’s New

Farsight Security is continuously developing new ways to increase the value and usability of its real-time and historical DNS Intelligence data for its customers. Today Farsight Security has announced the following new DNSDB search features:

  • Volume Across Time: Traditionally, when a user queries DNSDB to ask “what are all the RRdata records for www.example.com”, the results have included an aggregated observation count. This means you could get the total number of times the record has been observed, but not when it was observed. With the new Volume Across Time feature, users can search when a domain name was resolved in the DNS across the full-time range covered within DNSDB, which goes back to 2010. Investigators can now answer questions like, "Was a domain parked for a long time, mostly unused, until it was repurposed for serving malware or relaying spam, but then was abandoned again?” It allows them to see if a record was observed heavily in the last week vs. having been observed constantly for years.

Figure 1. DNSDB Scout is one of the many ways you can access the Volume Across Time feature to see if a record was observed heavily over shorter periods of time.

  • Estimation of Result Size: DNSDB can now provide a single summarized snapshot for a given query. At a glance, it provides information on when a given domain name, IP address or other DNS asset was first-seen, last-seen and the total number of observations seen by Farsight’s global sensor network. By evaluating the total count, investigators can now quickly determine whether more investigation is needed.

Figure 2. Estimation of Result Size enables a single results snapshot for a given query.

  • Incremental Result Transfers: With this new feature, DNSDB users can now view more of the available results for a single query - past the previous limit of one million rows. Combined with the existing ability to define the number of responses to be displayed for a given query, this new feature allows users to “skip” a defined number of rows in the output – not constrained by the one million row limit, and then display starting at those rows and up to the limit. This allows users of DNSDB to more specifically target and access the information they need for their investigations.

Figure 3. The Incremental Result Transfers feature allows queries to go beyond a client's results limit.

Availability

This newly enhanced version of DNSDB is now available to all DNSDB customers. Customers can query DNSDB directly via the RESTful API at https://api.dnsdb.info, or by utilizing one of the many DNSDB API Clients and integrations. DNSDB Scout, Farsight’s browser extension for both Google Chrome and Mozilla Firefox, has been updated to support the new features, and can be downloaded from the Google Chrome Web Store or the Mozilla Firefox Add-Ons site respectively. dnsdbq, Farsight’s command line client written in C, has also been updated and is available on GitHub.

If you would like to learn more about DNSDB, please visit Farsight Security at Black Hat USA at Booth #1303 next week or our Get Started page, where you can also signup for a free 30-day trial API key. You can also contact our sales team at 650-489-7919.

Karen Burke is the Director of Corporate Communications for Farsight Security, Inc.

← Blog Home