You’ve probably heard cybersecurity specialists mention how they used Domain Name System (DNS) records to track down attackers or how website administrators use them to manage their companies’ web properties (e.g., web pages and so on). But not all may know what the DNS really is, where DNS records are stored (e.g., a historical DNS database like this one), and what DNS data is used for. This post sheds some light on those topics.
What Is the Domain Name System?
The DNS is almost always referred to as the Internet’s phone book. Why? Because it translates domain names (e.g., company[.]com) into IP addresses (e.g., 1[.]255[.]3[.]253 or 2001[:]0db8[:]85a3[:]0000[:]0000[:]8a2e[:]0370[:]7334). That way, the user who wants to access the content of company[.]com is brought to the right page.
You may be wondering why the DNS is necessary, and the answer is quite simple. Humans have an easier time remembering a domain name like company[.]com instead of an IP address like 1[.]255[.]3[.]253 or 2001[:]0db8[:]85a3[:]0000[:]0000[:]8a2e[:]0370[:]7334. But web browsers use IP addresses to interact with computers or servers. That said, the DNS acts as a conduit between humans and computers so they both get what they want in a sense.
What Is a Historical DNS Database?
Much like physical phone books that got distributed to all home phone service subscribers in the past, domain names and their corresponding IP addresses need to be kept somewhere so users get directed to wherever they want to go on the Web. That’s the DNS, which is a database of sorts. But it does differ from a historical DNS database that various intelligence vendors offer. How?
The DNS contains all the current DNS records of every domain name. A historical DNS database, meanwhile, records all the IP addresses that domain names resolved to over a given period of time, depending on how long a particular vendor has been crawling the Web for DNS data. Let’s take a look at an example to clear things up more.
Say the domain name company[.]com used to resolve to the IP address 1[.]2[.]3[.]4. The company had to change its Internet service provider (ISP) after 3 years, though, when its office moved to another country. Its new IP address is 1[.]255[.]3[.]253. A historical DNS database that has been collating data for several years would, therefore, give users two IP addresses for company[.]com, which are 1[.]2[.]3[.]4 and 1[.]255[.]3[.]253.
For illustration, here is a screenshot of entries from a historical DNS database:
Note the varying number of IP addresses in the rightmost column that each domain in the leftmost column points to. Not all of the IP addresses are current, some may no longer be in use.
What Data Does a historical DNS Database Contain?
A historical DNS database for A records (i.e., specifying domain and IP resolutions) has three columns described in greater detail below.
The first column contains the domain names collated over a specific period (i.e., daily, weekly, monthly, or over time). The domains in the database were accessed by any user within that time period and resolved to the IP addresses indicated.
In this sample DNS database entry, the domain name is anguillavillarental[.]com.
The second column contains the date and specific time when the domains were last accessed. The data is expressed in UNIX format, which can be easily converted to human-readable date and time stamps in your chosen timezone using a converter like Epoch Converter.
In the same example above, the date and time is 1625204923. Converted, it reads 2 July 2021 5:48:43 AM GMT.
The third column lists all the IP addresses the domain pointed to over the specified period. There’s always at least one IP address in this column as all Internet-connected devices (even the computers or servers sites are hosted on) need one.
In the same example, for the week ending 26 July 202, anguillavillarental[.]com resolved to three IP addresses:
Other types of records can also be available as part of historical DNS databases such as Canonical Name (CNAME), mail exchanger (MX), nameserver (NS), Start of Authority (SOA), and TXT databases records.
What Is DNS Database Data Useful For?
DNS data is most helpful in cybersecurity. It specifically provides the benefits below.
IoC List Expansion
If you’re a professional threat hunter, you can use DNS data to uncover threat associations given a domain or an IP address. So if you have a list of indicators of compromise (IoCs) that contains domains and want to ensure you’re blocking all possible threat vectors, you can look for a specific domain from the DNS database and block all IP addresses connected to it.
Let’s say your IoC list contains the malicious domain account-paypalinfo[.]com, a DNS database would tell you that it’s connected to the IP address 34[.]98[.]99[.]30.
Knowing that, apart from blocking access to and from account-paypalinfo[.]com, you should also block access to and from 34[.]98[.]99[.]30. You can also use a malicious NS from an NS database as a starting point for adding artifacts or IoCs to your current blocklist.
Cybersecurity Solution Enhancement
Not many anti-malware solutions can correlate web properties with one another with 100% accuracy. Much like how you would use a DNS database for threat hunting or IoC list expansion, you can extend your cybersecurity solutions’ capabilities by integrating DNS data into them. That way, they won’t only block access to and from the IoCs, on the list you fed to it but also the connected IP addresses (given a domain) or domains (given an IP address). That should boost up your defenses against all kinds of threats.
Attack Surface Management
In much the same vein as you would use a DNS database to expand a list of IoCs, you can also use it to ensure all your digital properties are properly secured. You can look for all your domains or IP addresses on it. Once you’ve identified all your assets, you can check if the domains’ DNS records are all up-to-date and pointing to the right IP addresses (meaning, threat actors didn’t redirect them to malicious IP addresses under their control).
You can also query all your domains and IP addresses on blocklists to make sure none of them are being detected as malicious. If any of them are, you can change these resources to protect your domain reputation.
You can also consult other historical DNS database feed files (CNAME, MX, NS, SOA, and TXT) to find all of your web properties (even dangling, forgotten, or unused ones) so you can update their records to ensure they are not pointing to digital assets you do not own or decommission them (delete them permanently from the DNS) so threat actors can’t use in domain takeover attacks.
You just learned about the DNS and a DNS database and its practical uses. Despite being primarily made for cybersecurity purposes, DNS databases are also useful for brand protection and market intelligence gathering.