Strengthen your network security with Passive DNS

Collecting and analyzing Passive DNS data can help identify malicious sites and combat phishing and malware; here’s how to get started.

Over the past few years, we’ve witnessed increasing attacks against DNS infrastructure: DDoS attacks against authoritative name servers, name servers used as amplifiers in DDoS attacks, compromised registrar accounts used to modify delegation information, cache poisoning attacks, and abuse of name servers by malware. Thankfully, we’ve also seen the concurrent development of powerful new mechanisms for combating those threats, including the DNS Security Extensions, response policy zones, and response rate limiting.

Perhaps the most promising means of enhancing DNS security, and the security of the Internet generally, has yet to be fully exploited. That’s Passive DNS data.

A primer on Passive DNS

Passive DNS was invented by Florian Weimer in 2004 to combat malware. Basically, recursive name servers would log the responses they received from other name servers and replicate that logged data to a central database.

What would that logged data look like? Well, recall how recursive name servers operate. When queried, they examine their cache and authoritative data for an answer, and if the answer isn’t present, they start by querying one of the root name servers and following referrals until they identify the authoritative name servers that know the answer, then query one of those authoritative name servers to retrieve the answer. It looks something like this:

recursive name server

Most Passive DNS data is captured immediately “above” the recursive name server, as indicated here:

passive dns collection

That means Passive DNS data consists largely of referrals and answers from authoritative name servers on the Internet (along with errors, of course). This data is time-stamped, deduped, and compressed, then replicated to a central database for archiving and analysis.

Note that what’s captured is server-to-server communication, not queries from your stub resolvers to the recursive name server. (Stub resolvers sit “below” the recursive name server in the diagram.) That’s important for two reasons. First, there’s significantly less server-to-server talk than between a stub resolver and a recursive name server, only cache misses. Second, the server-to-server communication can’t easily be associated with a particular stub resolver, and therefore represents much less of a privacy concern.

How the Passive DNS data is collected varies. Some recursive name servers, including Knot and Unbound, include software hooks that make it easy to capture Passive DNS data. Administrators can use a free program called dnstap to read the Passive DNS data from the name server.

Folks running other name servers may use different tools on the host running the recursive name server to monitor traffic to the name server, or they may mirror the name server’s port to another host that records the data.

The value of passive DNS

Various organizations run the databases to which Passive DNS “sensors” upload data. One of the most popular and best known is Farsight Security’s Passive DNS database, DNSDB. DNSDB contains data collected over several years by sensors all over the world. Other organizations running Passive DNS databases include the website VirusTotal, now owned by Google; the German consulting company BFK; the Computer Incident Response Center Luxembourg, CIRCL; and Estonia’s Computer Emergency Response Team, CERT-EE.

Queries of Passive DNS databases can yield a wealth of useful information. For example, you could query Passive DNS databases to determine what a DNS query for A records attached to www.infoblox.com returned in April 2012, or what name servers infoblox.com has used since then, or what other zones use that same set of name servers. Perhaps more significant, you could take an IP address you know is malicious and find all the domain names that Passive DNS sensors have recently mapped to that IP address.

Here are some of the many uses of Passive DNS:

  • Passive DNS databases allow the near-real-time detection of cache poisoning and fraudulent changes to delegation. An organization could periodically query a Passive DNS database to find what addresses its critical domain names currently map to, according to Passive DNS sensors. Any variation from the mappings in authoritative zone data could be an indication of compromise.
  • Farsight Security periodically scrapes the newest domain names from DNSDB. These are domain names that were first seen by sensors in the last 15 minutes, hour, or other interval. It turns out there’s a high correlation between brand-new domain names and malicious activity. New domains are often briefly used in phishing campaigns or the like, then simply discarded. And the cost of temporarily blocking the few legitimate domain names that happen to have appeared in the last 15 minutes is small. Farsight can provide organizations with a feed of these newest domain names, enabling administrators to block their resolution.
  • If the Passive DNS database supports fuzzy or Soundex matching, an organization could periodically query that database for domain names that use or sound like its trade names and identify potential infringement.
  • Once an IP address or name server is marked as malicious, it’s easy to use a Passive DNS database to identify other domain names that map to that IP address, or other zones hosted by that name server, and may also be malicious.
  • By monitoring changes to A and AAAA records and zone NS records over time, it’s easy to identify domain names using techniques such as fast flux to help phishing and malware sites evade detection. Legitimate domain names (except for those used for load balancing and distribution) won’t change their addresses very frequently, and most legitimate zones rarely change their name servers.

Closing the loop with Response Policy Zones

Response policy zones (RPZs) provide an invaluable mechanism for closing the loop when malicious domain names are identified in Passive DNS data. RPZs are DNS zones whose contents are interpreted as rules. Those rules typically say things such as, “If anyone tries to look up A records for this domain name, return an error saying that domain name doesn’t exist.” Because RPZs are simply zones, they can be transferred around the Internet quickly and efficiently, and the policies they contain promptly enforced. Organizations that analyze Passive DNS data to identify malicious domain names can construct rules blocking resolution of those names and distribute them to subscribers around the Internet.

If you’re interested in contributing Passive DNS data from your recursive name servers, Farsight provides information on how to participate, including a step-by-step guide to setting up a Passive DNS sensor. You can also add RPZ feeds based on the analysis of Passive DNS data to help block the resolution of malicious domain names within your organization.

Cricket Liu is Infoblox's Chief DNS Architect and a Senior Fellow. He works with Infoblox customers to ensure their DNS implementations are robust and secure. He is a co-author of "DNS and BIND," one of the best-known books on the DNS.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.

Join the CSO newsletter!

Error: Please check your email address.

More about Computer Emergency Response TeamGoogleInfobloxZones

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Cricket Liu

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place