Passive DNS

Passive DNS is a system of record that stores DNS resolution data for a given location, record, and time period. This historical resolution data set allows analysts to view which domains resolved to an IP address and vice versa. This data set allows for time-based correlation based on domain or IP overlap.

What to Look For

 

  • Historical repository of domains and IP addresses that could show overlap between values
  • Provides a method to get 2nd order domains and IP addresses that may be related to your original query
  • Identifies subdomains associated with a particular query potentially revealing target details or more suspect infrastructure

Questions to Ask

 

  1. Do the passive DNS results line up with the period I am interested in?
    Infrastructure like domain names and IP addresses may trade hands or be assigned to new customers by service providers over time. Beginning analysis with a known time frame of interest can aid in narrowing down what may be larger data sets spanning years of unrelated activity, allowing analysts to pinpoint specific attacker activity.
  2. Are there other data points (WHOIS, SSL Certificates, Host Pairs, etc.) that could be used to improve a connection point?
    Observations based on one type of data, such as infrastructure relationships, are sometimes sufficient on their own, but many observations can be strengthened and confirmed when combined with other supporting data. Supporting data points may also reveal other avenues of investigation that analysts were not initially aware of at the beginning of their research.
  3. Has the domain or IP address had a lot of changes over time?
  4. Does it appear like the domain or IP address is part of a shared hosting network?