Home / Blogs

Why Passive DNS Matters in Cybersecurity

Jonathan Zhang

Imagine a scenario. Your website analysis shows that your page has stopped receiving visitors, yet there are no complaints that your domain is unreachable. Strange, isn't it? You are certainly wondering: What's going on? Where are my customers?

You see, what happened is that you are facing the consequences of the lack of domain name system (DNS) security. More specifically, you've fallen victim to the DNS cache poisoning attack which involves threat actors getting control over the DNS server and altering its settings in order to direct users to the wrong, malicious address.

The good news is that several techniques have been developed to avoid or investigate such issues and leveraging passive DNS is among the most promising ones. We've discussed this point among many others in our Domain Name System Primer whitepaper and will summarize some of the most important aspects in this article.

What Is Passive DNS?

Passive DNS is a tool that maintains DNS resolution data on a specific record, location, and time frame. This sort of historical resolution capability allows for the analysis of domains that were resolved to an IP address. Furthermore, the datasets can be used to correlate time-based details on domain or IP overlaps.

How Does Passive DNS Work?

Until passive DNS was introduced, there was no way for users to check the history of DNS lookups because every change to a DNS record would erase the previous details forever. This was a problem, especially for those experts who wanted, for instance, to analyze a list of domains a threat actor may had resolved in the past.

Passive DNS has changed that as it implies storing the history of DNS lookups — e.g., the details of domains, IP addresses, and servers involved in DNS communications — in the so-called passive DNS databases. The data in these repositories are indexed and historical records can be accessed whenever needed.

How Can Passive DNS Augment Cybersecurity Measures?

Now that we know what passive DNS is capable of let's take a look at how it can assist experts in reinforcing their organization's online security.

Fraud detection

Passive DNS can help detect any fraudulent changes made in the DNS system. Companies leveraging this tool can also get up-to-date information on domain names to learn which ones are new. This can prove to be vital as many threat actors register new domains for illegal purposes.

Identifying target connections

Knowing which domains are connected to dangerous addresses is crucial in resolving certain cybercrime investigations and discovering malicious networks. Passive DNS can map out all of the domains associated with a target and highlight which of them are infected with malware. Furthermore, these links can be used by cyber analysts to unveil entities behind these domains.

Detecting malicious activities

Querying the passive DNS database download service can help detect suspicious delegation changes in the systems that could lead to vulnerabilities. Identifying cache poisoning is one example, but users can also uncover other types of infiltrations. Trojans, which are often employed to invade networks, can be revealed before they can steal sensitive information or provide unauthorized access to their masters.

Acquiring insights on attacks

Passive DNS data collected through DNS sensors can be integrated with other forms of information coming from threat intelligence analysis. For example, details on how an IP or domain was resolved can be sent to specialists for further analysis and cross-linking with data from threat intelligence feeds. This subsequently may lead to the mitigation or even the avoidance of attacks.

* * *

The potential that a passive DNS database download service brings to the table cannot be denied. Its ability to capture and retain historical DNS-related details can be used in many ways to enhance the current state of cybersecurity in organizations today. Additionally, it can be paired alongside other methods to improve existing defense protocols.

By Jonathan Zhang, Founder and CEO of Threat Intelligence Platform
Follow CircleID on
Related topics: Cyberattack, Cybersecurity, DNS
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC