How cybersecurity experts tracked attackers using Domain Name System (DNS) records, and how website administrators used them to manage company web properties (such as web pages). You’ve probably heard it mentioned. However, not everyone knows what DNS really is where DNS records are stored (for example, a historical DNS database like this). one), And the purpose of use of DNS data. This post sheds some light on those topics.
What is Domain Name System?
DNS is most often referred to as the Internet phone book. Why?To translate domain names (eg company[.]com) to the IP address (eg 1)[.]255[.]3[.]253 or 2001[:]0db8[:]85a3[:]0000[:]0000[:]8a2e[:]0370[:]7334).That way, users who want to access company content[.]com is displayed on the correct page.
You may be wondering why you need DNS, but the answer is pretty simple.It’s easy for humans to remember domain names like companies[.]Instead of com IP address Like 1[.]255[.]3[.]253 or 2001[:]0db8[:]85a3[:]0000[:]0000[:]8a2e[:]0370[:]7334. However, the web browser uses the IP address to interact with the computer or server. That said, DNS acts as a conduit between humans and computers, so you can get what you need in a way.
What is a historical DNS database?
Like the physical phone book that was distributed to all home phone service subscribers in the past, the domain name and its corresponding IP address should be kept somewhere so that users can access it anywhere on the web. is needed. That is DNS, a kind of database. However, it differs from historical DNS databases provided by various intelligence vendors. How?
DNS contains all current DNS records for all domain names. Historical DNS databases, on the other hand, record all IP addresses that domain names resolve during a particular time period, depending on how long a particular vendor is crawling the web for DNS data. Let’s look at an example to make it clearer.
Domain name company[.]Com used to resolve to IP address 1[.]2[.]3[.]4. The company had to change the company Internet service provider (ISP) But three years later, when the office moved to another country.Its new IP address is 1[.]255[.]3[.]253. Therefore, a historical DNS database that has been collating data for several years provides the user with two IP addresses of the company.[.]com, 1[.]2[.]3[.]4 and 1[.]255[.]3[.]253.
For illustration purposes, this is a screenshot of an entry from a historical DNS database.
Notice that each domain in the leftmost column points to a different number of IP addresses in the rightmost column. Not all IP addresses are up to date. Some may be obsolete.
What data does the historical DNS database contain?
The A record’s historical DNS database (that is, specifying domain and IP resolutions) has three columns detailed below.
The first column contains domain names that have been matched over a specific time period (that is, daily, weekly, monthly, or over time). The domain in the database was accessed by any user within that period and resolved to the indicated IP address.
In this sample DNS database entry, the domain name is anguillavillarental.[.]com.
The second column contains the date the domain was last accessed and the specific time. The data is expressed in UNIX format and can be easily converted to human-readable dates and time stamps in the selected time zone using a converter such as Epoch Converter.
In the same example above, the date and time are 1625204923. The conversion will be July 2, 2021 at 5:48:43 GMT.
The third column lists all the IP addresses specified by the domain during the specified time period. There is always at least one IP address in this column because every device connected to the Internet (even if a computer or server site is hosted) requires an IP address.
In the same example, anguilla villarental for the week ending July 26, 202[.]com resolved to 3 IP addresses:
Other types of records are also available as part of historical DNS databases such as Canonical Name (CNAME), Mail Exchanger (MX), Name Server (NS), Start of Authority (SOA), TXT database records.
What is DNS database data useful for?
DNS data is most useful in Cyber security.. Specifically, it has the following advantages.
IoC list expansion
Professional threat hunters can use DNS data to reveal domain or IP addressed threat associations. Therefore, if you have a list of traces of intrusion (IoC), including domains, and want to be sure to block all possible threat vectors, look for a specific domain in your DNS database and block all IP addresses connected to it. can.
Let’s say your IoC list contains a malicious domain account-paypalinfo[.]com, DNS database tells you that it is connected to IP address 34[.]98[.]99[.]30. Know it, apart from blocking access to and from your account-paypalinfo[.]Access to com, 34 and access from 34 should also be blocked[.]98[.]99[.]30. You can also use a malicious NS from the NS database as a starting point for adding artifacts or IoCs to the current block list.
Strengthening cyber security solutions
There are not many anti-malware solutions that can correlate web properties with 100% accuracy. Similar to using DNS databases for threat hunting and IoC list expansion, you can extend the capabilities of your cyber security solution by consolidating DNS data. Doing so not only blocks access to and from IoC, but also blocks the connected IP address (specify the domain) or domain (specify the IP address).It should boost your defense against everything Threat type..
Attack surface management
All using a DNS database, much like expanding a list of IoCs using a DNS database Digital properties It is properly fixed. You can then find all domains or IP addresses. Once you’ve identified all your assets, you can verify that your domain’s DNS records are all up-to-date and point to the correct IP address (that is, an attacker redirects your domain to a malicious IP address under your control. did not). ..
You can also query all domains and IP addresses in the block list to make sure they are not detected as malicious. If any of them are present, you can modify these resources to protect your domain’s reputation.
Browse other historical DNS database feed files (CNAME, MX, NS, SOA, TXT) to find all web properties (including hanging, forgotten, or unused properties) and update records You can also check that it has not been done. Refers to digital assets that you do not own or deprecate them (permanently remove them from DNS) so that they cannot be used by attackers in domain hijacking attacks.
You learned about DNS and DNS databases and how to use them in practice. DNS databases are created primarily for cybersecurity purposes, but they are also useful for brand protection and market information gathering.
What is a historical DNS database? What is it for?
Source link What is a historical DNS database? What is it for?