Home / Industry

Beefing Up Third-Party Risk Management with Reverse DNS Search

Most businesses rely on third-party entities to outsource certain functions, save on costs, and strengthen their cybersecurity capabilities. While working with external providers makes perfect business sense, it also poses cyber risks. For instance, a global record label's websites hosted by a third-party service provider became the latest victim of Magecart, a web skimming attack. The company is not alone to suffer such misfortune, however, as many data breaches are connected to third-party use.

Third parties usually need to access company networks and data to make these accessible to their contractors and employees. Hence, the chances of a data breach and other cybercrimes are magnified. But organizations can minimize risks through robust third-party risk management. As part of this, Reverse DNS Search can help by:

  • Identifying hosts and domains related to a third-party website, IP address, or DNS record
  • Determining if any of the domains associated with third parties are malicious and, therefore, pose risks

Let's take a closer look.

Identify Domains Associated with a Third Party

Associations with malicious actors is among the telltale signs of third-party risk. For instance, suppose a third-party vendor or contractor is associated with malicious domains through its IP address, nameserver, or mail server. In that case, there is a possibility for attackers to get hold of its domain. By extension, your network and data could also be exposed.

To illustrate, we obtained 10 domains reported on PhishTank then used DNS Lookup tools to retrieve their A and AAA records. We ran the associated IP addresses on Reverse DNS Search to gain insights into how many other domains share them.

Reported DomainsIP Address (A Record)Number of Associated Domains
micr0s0ft-secure[.]nw[.]r[.]appspot[.]com216[.]58[.]217[.]21210
halifax[.]co[.]uk[.]login-review-7438[.]info146[.]0[.]76[.]8113
grupmabarfreefire[.]freefire-2020[.]my[.]id207[.]180[.]194[.]2552
mshardware[.]bizzrise[.]in162.[.]41[.]114[.]5691
sync[.]owaaccessvoice[.]ml198[.]12[.]250[.]5199
preorderatt[.]weebly[.]com199[.]34[.]228[.]54176
familynametees[.]com198[.]20[.]71[.]143477
secure[.]scotiaonline[.]com[.]noneed[.]uk209[.]182[.]213[.]43549
dns-e58d6[.]web[.]app151[.]101[.]65[.]1955,100+
cpsclanaudiere[.]org67[.]215[.]3[.]2435,400+

Reverse DNS Search revealed that the IP addresses the domains were hosted on also served as hosts to dozens, hundreds, and even thousands of other domains. Some of these connections are probably fortuitous — after all, thousands of website owners may share an IP address due to their hosting configuration. Taking a closer look at the lists of associated domains, nevertheless, could provide some insights into malicious connections.

Determine a Third Party's Association with Malicious Domains

It is also important to note that out of the 10 IP addresses in the table above, only 199[.]34[.]228[.]54 has been reported for malicious activities.

As such, looking into a third party's IP address alone may not give you the whole picture. The connected domain doctorfix[.]org, for instance, resolves to 146[.]0[.]76[.]81 (one of the IP addresses in the table above). Running both the domain and IP address through a threat intelligence platform or third-party risk monitoring system that does not have a reverse DNS search feature would yield no warning signs.

However, performing a reverse DNS search on 146[.]0[.]76[.]81 would yield 13 domains sharing the same IP address:

Of these 13 domains, six have been cited for phishing and spamming activities by Spamhaus, specifically:

  • cpanel[.]kopenvaarbewijs[.]com
  • webmail[.]kopenvaarbewijs[.]com
  • autodiscover[.]kopenvaarbewijs[.]com
  • kopenvaarbewijs[.]com
  • webdisk[.]kopenvaarbewijs[.]com
  • realalphalife[.]com

Robust third-party risk monitoring entails that a third party's domain associations through its IP address and other DNS records should also be investigated.


Third-party risk management is a vital part of cybersecurity. Without it, an organization's cybersecurity posture remains weak and incomplete. Reverse DNS Search allows companies to get a better picture when it comes to assessing third parties. By integrating reverse DNS search into risk assessment systems and methodologies, enterprises not only determine if a third party is but also pinpoint which of its domains and DNS records can be a source of cyber risks.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

New TLDs

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Whois

Sponsored byWhoisXML API

IP Addressing

Sponsored byIPv4.Global