DNS Forensic Analysis Using Domain History API and DNS History API

reconnaissance

SecurityTrails Blog · Nov 29 · SecurityTrails team

DNS allows IP addresses’ numbers to be converted into human-readable domain names, letting us browse the internet or send emails without knowing what’s behind the scenes. Domain names are easy to use on any online service, and they work pretty well for all kind of web-based products.

Some people use DNS and domain names for legal activities, while others focus on the dark side of the Internet, creating DDOS botnets, spreading malware and viruses, setting up phishing domains, sending SPAM, or simply launching any other illegal digital services.

In order to catch the bad guys, a lot of security experts (from both public and private agencies) are put to work, analyzing various internet services to gather information and track their steps. However, even in the cybersecurity field, not all the experts focus on analyzing DNS and domain services, and all of their information, when it comes to digital forensics.

How can I perform a domain name and DNS forensic analysis?

There are several ways to run a DNS forensic analysis. Going back to our previous Top 20 OSINT Tools article, we covered several tools for gathering intel about any target, but we didn’t focus on a service as critical as the DNS.

While a few of the tools mentioned may help you gather some domain information, DNS forensic analysis can be performed using other external tools like DNSRecon, DNSTracer or DNSMap. However, while these tools are pretty useful in specific cases, they can be time-consuming — and when it comes to cybersecurity, every second matters. Using these tools can take days or even weeks to gather the required information, on top of which you’d need more time to combine their results. This can get especially time-consuming when investigating more than one cybercriminal, or when multiple services and domain names are involved.

When you are performing a domain name and DNS audit there are key areas to explore, such as:

  • Analyze DNS records like NS, MX, A records, etc.
  • Perform a record enumeration
  • Discover all associated subdomains
  • Explore the PTR records response
  • Check for the history of DNS records
  • Verify if the site is using WHOIS protection
  • Check out the WHOIS Domain history
  • Find associated domains behind an email address
  • Find associated domains by IP neighbors
  • Discover current and past web hosting providers
  • Identify current and past DNS servers

Let’s see how you can empower your forensic and security auditing work by using our SecurityTrails cybersecurity platform, a conjunction of all the well-known DNS tools mentioned above, plus more.

Analyze current and historical DNS records

  • Open up securitytrails.com in your browser
  • Enter any domain name, eg. microsoft.com
  • That will show you the current DNS records
  • Click on “Historical Data” to discover the historical DNS records

DNS Historical Data

Historical DNS data can help you discover other interesting details about the current hosting provider, and tell you who the past web hosting providers were as well. This becomes especially useful when you need to track down proxy-protected domains like the ones behind Cloudflare for example, as we covered in the article: Finding the IP address of a website behind Cloudflare.

List subdomains

Discovering all the subdomains behind a domain name is one of the key task of running your DNS Audit. In the next example, you’ll notice how our platform is able to gather all the existing subdomains for a given domain, the way we did here for oracle.com.

List Subdomains

If you’re using our API, this can even be fetched with a simple CURL command from any terminal:

url --request GET \  
--url 'https://api.securitytrails.com/v1/domain/oracle.com/subdomains?apikey=your_api_key'

Replace your_api_key with your own API key.

Discover IP neighbors

The IP neighbors discovery tool allows you to identify the hosting neighbors for a specific IP address.

How can I find IP neighbors for any IP address? Follow these steps:

  • Move to Securitytrails.com
  • Enter any IP address number, eg. 8.8.8.8
  • Click on “IP Neighbors”
  • Click on the IP you want to explore and wait for the results

You should be able to see which domains are hosted on the same IP address, as you see in the following screenshot:

Discover IP neighbors

Associated Domains

You never know what you’ll find when you investigate one single domain name, especially when you start fetching the associated domain names. Big surprise, it seems that you will not only be able to find out all the details about bad guy’s main domain name but all their associated domains as well.

This can be done using our API as you can see here:

curl --request GET \  
--url 'https://api.securitytrails.com/v1/domain/google.com/associated?apikey=your_api_key'

List domains by Email

Another way to get associated domains is to filter by email address using our main interface. Our powerful platform also allows you to discover which email addresses are associated with any domain names. Simply enter any email address to discover how many domains are related to it; see the example below:

List domains by Email address

Domain History API

Domain Historical WHOIS endpoint can help you identify current and old DNS servers, as well as personal or corporate data. This is really useful for tracking down WHOIS changes across any timeline. As our API supports multiple programming languages, in this case we’ll use Ruby to show you how a complex task like fetching the WHOIS history can be easily performed using our Domain history API; see below:

require 'uri'  
require 'net/http'  

url = URI("https://api.securitytrails.com/v1/history/symantec.com/whois?apikey=your_api_key")  

http = Net::HTTP.new(url.host, url.port)  
http.use_ssl = true  

request = Net::HTTP::Get.new(url)  

response = http.request(request)  
puts response.read_body

This will display full WHOIS historical results, which can be easily integrated with your forensics daily tasks:

{  
"result": {  
"items": [  
{  
"updatedDate": 1464160006589,  
"tld": "com",  
"status": [  
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",  
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",  
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",  
"serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",  
"serverTransferProhibited https://icann.org/epp#serverTransferProhibited",  
"serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited"  
],  
"started": 1472708410412,  
"registrarName": "MARKMONITOR INC.",  
"nameServers": [  
"PDNS1.ULTRADNS.NET",  
"PDNS2.ULTRADNS.NET",  
"PDNS3.ULTRADNS.ORG",  
"PDNS4.ULTRADNS.ORG",  
"PDNS5.ULTRADNS.INFO",  
"PDNS6.ULTRADNS.CO.UK",  
"UDNS1.ULTRADNS.NET",  
"UDNS2.ULTRADNS.NET"  
],  
"expiresDate": 1763881606589,  
"ended": 1512131429698,  
"domain": "symantec.com",  
"createdDate": 722588806589,  
"contactEmail": "domains@symantec.com",  
"contact": [  
{  
"type": "registrant",  
"telephone": "16505278000",  
"street1": "350 Ellis Street,",  
"state": "CA",  
"postalCode": "94043",  
"organization": "Symantec Corporation",  
"name": "Domain Manager",  
"fax": "16505275693",  
"email": "domains@symantec.com",  
"country": "US",  
"city": "Mountain View"  
},  
{  
"type": "administrativeContact",  
"telephone": "16505278000",  
"street1": "350 Ellis Street,",  
"state": "CA",  
"postalCode": "94043",  
"organization": "Symantec Corporation",  
"name": "Domain Manager",  
"fax": "16505275693",  
"email": "domains@symantec.com",  
"country": "US",  
"city": "Mountain View"  
},  
{  
"type": "administrativeContact",  
"telephone": "16505278000",  
"street1": "350 Ellis Street,",  
"state": "CA",  
"postalCode": "94043",  
"organization": "Symantec Corporation",  
"name": "Domain Manager",  
"fax": "16505275693",  
"email": "domains@symantec.com",  
"country": "US",  
"city": "Mountain View"  
},  
{  
"type": "technicalContact",  
"telephone": "16505278000",  
"street1": "350 Ellis Street,",  
"state": "CA",  
"postalCode": "94043",  
"organization": "Symantec Corporation",  
"name": "Domain Manager",  
"fax": "16505275693",  
"email": "domains@symantec.com",  
"country": "US",  
"city": "Mountain View"  
}  
]  
},  

DNS History API

DNS Record History endpoint allows you to get full access to current and historical data about DNS records for any given domain name.

This can be accessed using our SecurityTrails online DNS explorer tool, or by fetching our powerful API, which can be integrated with multiple modern programming languages like Node, Javascript, PHP or Python.

Fetching DNS History with Python is pretty easy; see below:

import requests  
url = "https://api.securitytrails.com/v1/history/microsoft.com/dns/a"  
querystring = {"apikey":"your_api_key"}  
response = requests.request("GET", url, params=querystring)  
print(response.text)

The result will be something like:

{  
"type": "a/ipv4",  
"records": [  
{  
"values": [  
{  
"ip_count": 428,  
"ip": "23.96.52.53"  
},  
{  
"ip_count": 430,  
"ip": "23.100.122.175"  
},  
{  
"ip_count": 427,  
"ip": "191.239.213.197"  
},  
{  
"ip_count": 428,  
"ip": "104.43.195.251"  
},  
{  
"ip_count": 434,  
"ip": "104.40.211.35"  
}  
],  
"type": "a",  
"organizations": [  
"Microsoft Corporation"  
],  
"last_seen": null,  
"first_seen": "2015-11-19"  
},  

You can even use CURL from the command line if you like:

curl --request GET \  
--url 'https://api.securitytrails.com/v1/history/microsoft.com/dns/a?apikey=your_api_key'

Summary

There’s one thing we all know: cyber criminals can’t commit Internet crime without DNS and domain names.

And while some specific tools for DNS and domain investigation can be useful in performing forensic and auditing tasks, using the SecurityTrails toolkit is the most effective option for gathering and combining all of the required information, with really fast results. The toolkit will elevate your cyber intelligence and data-gathering to the next level.

Our powerful, centralized platform will allow you to trace every step of bad guys trying to stay under the radar, but who have unwittingly left their tracks on the way.


Are you ready to empower your domain and DNS forensics work? Grab a free API account to automate all your infosec daily tasks.