For a long time, there were no practical ways to trace or recount prior Domain Name System (DNS) records in any DNS zone. So when cybersecurity teams were investigating a suspicious IP address, they couldn’t see all of the domain names that it had resolved to in the past. This predicament left many stones unturned.
Then passive DNS came along, making it possible to dig into the DNS history of IP addresses and domain names connected to them. This intelligence has since become essential in the fight against cybercrime and led to the development of some of the best DNS history lookup resources available on the market today:
Now that we have introduced these products, let’s look more closely at what they can bring to the table through brief cybersecurity demonstrations.
Consider the scenario where your existing threat intelligence platform (TIP) detects the malicious IP address 5[.]2[.]78[.]19. This IP address is tagged as an indicator of compromise (IoC) associated with a credit card skimmer found on the Tupperware website.
Integrating Reverse IP/DNS API into a threat intelligence platform would enable security teams to see all domains connected to the malicious IP address. For our IoC, the program detected seven domains that resolve to the IP address, including servic-authenticdf[.]ml, mabanquexcvbnpparibas[.]ml, and stuckonyou[.]club. While this doesn’t mean that all connected domains are malicious, it’s worth looking into each of them.
Similarly, DNS Database Download can reveal domains and IP addresses used by threat actors. This information can be fed directly into a domain & IP reputation scoring system to make the products more accurate. Let’s take the domain name fanohuse[.]com, which resolves to the following IP addresses as revealed by DNS Database Download:
All IP addresses are tagged as suspicious on TIP and VirusTotal. Additionally, take note that when you filter the database to show all domains associated with the suspicious IP addresses, another domain name comes into the picture, that is, americaonlineinstantmessenger[.]com.
Why would such an association exist? A possible reason is that while threat actors use sophisticated methodologies and technologies, they often reuse their infrastructure to save on costs. Therefore, it would be logical to warn clients about the domain names associated with IP addresses when developing a domain and IP reputation scoring system. That way, your product can effectively cover all possible attack vectors. Even developers of TIPs and SIEM systems can use the database or its API version to make their products more comprehensive and reliable.
Passive DNS is a powerful resource for cybersecurity. That is why solutions such as Reverse IP/DNS Lookup, its API counterpart, and DNS Database Download may be worth looking into, especially when developing cybersecurity products. In the same way, enterprises that want to enrich their existing security systems can conduct DNS history lookups to establish relationships between domains and IP addresses.