Home Did you know ? How DNS History Contributes to Threat Investigations

How DNS History Contributes to Threat Investigations

by Mic Johnson

Cyberthreats pose risks to any organization. And companies, regardless of size or industry, so long as they have an online presence, are not safe. That is why they are advised to look at their infrastructure, including the history of DNS (Domain Name System) properties, to determine if their network has security vulnerabilities that threat actors can take advantage of or possible malware infections that can put their data in peril.

This post discusses three ways looking at DNS history can contribute specifically to threat investigations. But first, let us find out what the DNS is first.

What Is the DNS?

All digital devices use an IP address, which enables node (recipient or sender) identification. But it is hard to remember IP addresses so the DNS was created to give them human-readable names, specifically domain names. Mapping IP addresses to domain names is done by nameservers.

The DNS was created in the Internet’s early days and has since been playing a critical role in its operation. Its specifications were laid down by Dr. P. Mocakpetris in 1987. And though these have changed over the years, the DNS’s core functionality remains the same.

After knowing what the DNS is, let us now look at how DNS history can help with threat investigations.

3 Ways DNS History Contributes to Threat Investigations

Obtain a Comprehensive List of Domains That Resolved to a Malicious IP Address

Using a reverse IP/DNS API, which relies on DNS history data, can give you a detailed list of domains related to a particular IP address for the past 12 years. So if you see the IP address 37[.]59[.]43[.]63 in your blacklist and want to avoid connected domains for full threat protection, you can query it on a reverse IP/DNS lookup tool. Our query for the IP address returned the domain names guardisland[.]com and ns398995[.]ip-37-59-43[.]eu. While the resulting domains are not tagged malicious, since they are related to a malicious IP address, it may be best to include them in your blacklist, too.

Secure Your DNS Infrastructure

Domain hijacking is a threat that any organization can face. Threat actors can take over or hijack insufficiently secured or forgotten domains for use in their schemes. An example would be when malicious actors hijacked the domain mla[.]com in 2014.

An organization can track all of the domains it owns and secure these against hijacking by ensuring their DNS records are always updated and protected from hacking. It can query its IP addresses on a reverse IP/DNS API to get the DNS history details of its domains. Our query for 17[.]253[.]144[.]10 (apple[.]com’s IP address), for instance, tells us that the 50 domain names the company owns were last updated on 26 December 2020 and 10 January 2021. Apple is clearly ensuring its domain infrastructure is secure given that it constantly updates its DNS records.

Avoid Getting Tagged as a Threat Actor

Most companies, particularly small and medium-sized businesses (SMBs) do not use dedicated IP addresses. Instead, they use shared IP addresses. That could sometimes lead to risks, especially if the IP address they are using is flagged malicious. They could be blacklisted on all servers and systems that rely on IP-level blocking.

Let us take the IP address 23[.]227[.]38[.]32 as an example. It is the IP address that shadesdaddy[.]com, a luxury goods website hacked in 2015 to host a site that sells counterfeit goods. Based on a reverse IP/DNS API query that looks at an IP address’s DNS history, it is shared by hundreds of websites. If any of these IP address co-users are tagged malicious on any blacklist or by any security solution, then all of the sites whose domains that resolve to 23[.]227[.]38[.]32, including shadesdaddy[.]com, may end up blocked on the systems that use the blacklist or solution. That would be detrimental to their business as having any of their online properties implicated in threats could damage their reputation.

DNS history, as this post showed, has several other cybersecurity uses apart from the three mentioned above. In today’s cyberthreat-laden digital world, checking all possible intelligence sources to cover all the bases is crucial for any organization that wants to stay threat-free.

You may also like

Latest Hacking News