tips enterprise security

SecurityTrails Blog · Jun 04 · by Esteban Borges

What is DNS Intelligence?

Reading time: 7 minutes

We’ve written about the importance of IP addresses before, such as in our article exploring IP intelligence. In that piece we dived into how useful IP data is for the entire internet, as well as the critical role it plays in the cybersecurity industry.

Today we will deep dive into a related topic: DNS intelligence, its main concept, how important it is inside the cybersecurity world, and much more.

Definition of DNS intelligence

DNS intelligence could be defined as ‘all the intelligence data that comes from the DNS system and the interactions of its users’.

If you search for ‘DNS intelligence’ on Google, it will probably show results related to ‘DNS threat intelligence.’ This makes sense, as it’s directly involved with threat intelligence. Both terms relate to the same goal: preventing threats by using intelligence data.

DNS intelligence is a critical part of any OSINT and information gathering strategy whenever you’re investigating a specific target from a red team’s point of view, or when you’re doing blue team homework of testing and performing research against your own assets, to prevent cyber threats.

The importance of DNS data in cybersecurity

The DNS ecosystem plays a critical role in cybersecurity, one that’s often overlooked and underused by many IT professionals. Some cybersecurity teams and SOCs even use DNS to audit their subdomains, as a primary means of preventing incidents with old vulnerable apps.

However, DNS analysis can be used to gain a lot more knowledge than merely exploring subdomains and general DNS records.

Things like monitoring newly added domains and subdomains, historical and new DNS records, IP associations, links between domains, WHOIS, malicious activities, and much, much more, are among the key benefits of true DNS analytics. Also, an often forgotten usage of DNS intel data is the digital forensics field.

With so many fast and dynamic changes happening every second on all the DNS servers around the world, keeping an eye on constant movement within domain names is critical. That’s why the historical side of the DNS system becomes an essential source of information for all who are involved in this field.

DNS intelligence examples

All the intelligence we can get from DNS records stems from the concept of ‘DNS intelligence’, and that includes:

  • Forward DNS records: All present DNS records on the current website
  • DNS historical records: Historical DNS records from days, months or years ago
  • Subdomain mapping: By accessing all current DNS records, you can also perform subdomain enumeration for current and past subdomains over a period of time
  • Reverse DNS records: Current rDNS records obtained by performing a reverse DNS lookup
  • Registrar name servers: Current NS records at the domain registrar
  • Glue record history: DNS records created at the domain registrar
  • Historical registrar name servers: Past information about NS used on the registrar, going back by years
  • DNS software identification: Software information for the DNS server you’re running, including name and current version
  • Associated domain names: DNS intelligence also provides the ability to detect associated domains hosted on the same networks as the main apex domain
  • Associated IPs: In a similar manner, you can detect related IPs on the same network by looking into DNS information

How is DNS intelligence used in cybersecurity?

Performing a DNS audit can help you achieve many things for your organization.

If you’re on the offensive side, such as on red teams or purple teams, you can:

  • Create a full DNS map of all connected assets
  • Perform full subdomain enumeration
  • Detect unknown apps and services
  • Find stale DNS records
  • Discover associated domain names
  • Unveil hosting infrastructure and providers
  • Detect when DNS changes occurred

If you’re on the defensive side, DNS threat intelligence is used by blue teams and for cyber crime investigation to:

  • Build a complete map of all domains and their DNS records
  • Find and remove unknown, old and stale DNS records
  • Find malicious domain and subdomain names
  • Investigate malware campaigns
  • Detect phishing attacks
  • Prevent subdomain attacks by analyzing stale DNS records
  • Create next-gen DNS-based firewalls
  • Create other DNS-based email blocking lists
  • Monitor brand usage and copyright violations

DNS threat intelligence utilities

When it comes to finding the right DNS threat intelligence tools, there are so many options to choose from that we had a hard time calling out the top tools for this task.

Terminal-based DNS domain tools offer manual ways to fetch DNS data and perform DNS enumeration, subdomain mapping and more. Tools we’ve previously reviewed include Nmap DNS brute force script and the popular DNSEnum script. And today, we will show you new intelligence tools to expand your infosec software toolkit.

OWASP Amass

Amass is one of the best domain tools available, one that allows you to get valuable DNS intelligence. It’s a terminal-based app that will help when it comes to network mapping, which includes DNS information about domain names, subdomains and more.

We already reviewed it weeks ago, and it turned out to be one of the best terminal-based tools for DNS reconnaissance. So of course, it should definitely be a part of your DNS intelligence toolkit.

OWASP Amass

DNSRecon

DNSRecon is the second tool we can recommend to you when it comes to ways of getting DNS intel about any target. Its main function aims to help you during the reconnaissance process for a lot of different DNS records, such as: A, AAAA, TXT, SOA, SPF, MX and NS.

It includes both passive and active ways to perform DNS mapping, including verifying all NS records for zone transfers, wildcard resolution, brute force techniques with wordlists, and more.

DNSRecon

However, if you want to jump right to the next level of DNS intelligence tools, you should seriously think about DNS intelligence API, or a passive DNS web-based tool. Here at SecurityTrails we’ve developed these exact two solutions for your DNS threat intelligence needs.

SecurityTrails API

The SecurityTrails API is one of the most effective tools you can use to fetch DNS intel data about any domain name on the internet.

Some of the main API endpoints toward this goal could be:

  • Details: Provides current DNS records data, including TXT, SOA, NS, MX, AAAA and A records.
  • Subdomain: Shows you a full subdomain enumeration in less than one second.
  • Associated domains: Provides a list of domain names that are directly related to the apex domain you’re investigating.
  • History: Can be used to fetch all the historical DNS records from any domain name, including TXT, SOA, NS, MX, AAAA and A records.

And what’s more, our security API is one of the best ways there is to integrate domain intelligence and DNS critical data into new or existing apps on your end.

SecurityTrails API

SurfaceBrowser™

By querying our passive DNS servers and other sources, SurfaceBrowser™ is ready to give you access to advanced DNS information from a web-based command center.

Start exploring critical DNS intelligence data from any organization or domain name in just seconds. This includes:

  • Current DNS records
  • Historical DNS records
  • Newly observed subdomains
  • Associated domain names
  • Full subdomain mapping
  • Reverse DNS records
  • Related IP blocks
  • Number of hosts and websites per IP
Critical DNS intelligence

One of the most interesting features of this tool is one that will boost your DNS intelligence: the ability to monitor all DNS activity from a single place, letting you access all the latest added subdomains in the blink of an eye.

You can watch all this magic happening from the ‘Activity’ tab within the SurfaceBrowser dashboard:

SurfaceBrowser dashboard

This is probably one of the most complete DNS intelligence tools you’ll ever find on the internet, giving you a proper look at current and past DNS configurations as well as a complete IP intelligence report.

Final words

Now you know the concept of DNS intelligence, how it can be used in different scenarios for red teams and blue teams, and the main tools you’ll need to begin a full DNS audit over your infrastructure to get access to critical DNS data.

And outside the infosec market, you can also use this information as “DNS business intelligence”, which can help you gain intelligence data about your competitors by spying into their DNS details.

Are you ready to take your organization’s DNS intelligence collection tasks to a higher level? Start by opening a free API account, and browse our API documentation. You can also explore our enterprise-grade flagship product SurfaceBrowser™ for a complete DNS intelligence web-based experience. Book a demo with our sales team today!

ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.