tools api reconnaissance

SecurityTrails Blog · Dec 18 2018 · SecurityTrails team

What is Passive DNS? And Why Should You Use a Passive DNS API?

Reading time: 11 minutes

Cybersecurity attacks and network threats are on the rise every year. Even if you’re not aware of it, the bad guys are always lurking in the background, looking for ways to attack your web server, DNS infrastructure and domain names.

As seen in our Types of DNS Attacks blog post, the DNS system hasn’t proven itself as the most effective Internet service in terms of security (cache poisoning, hijacking, hard DRDOS mitigation, etc.). Even with today’s DNSSEC and other modern DNS attack prevention technologies, many people in the cybersecurity community think that the DNS service remains insecure by default.

Due to increasing risks and the enduring weaknesses of the DNS ecosystem, we’ve built the core passive DNS intelligence security technology that powers all our tools and products. But we’re aware that many of you haven’t heard about passive DNS. That’s why today we’ll explain this fascinating component that powers our SecurityTrails toolkit.

What is Passive DNS?

Unlike the traditional DNS, which is a real-time system that queries DNS servers and resolvers to translate hostnames into IP addresses, passive DNS works in the opposite way.

This means that there is always a DNS database storing the DNS records, lookups and stats about everything related to the domains, servers and IP addresses involved in the common DNS communications. This information is saved in a safe database for later analysis, which converts the live DNS results into passive DNS data.

Before passive DNS existed, there was no way to get the full historical records of any DNS zone in the world unless you had set up your own DNS tracking system for your domain names, something rarely done by system administrators.

That era saw another disadvantage: once the DNS record was modified and after a few hours of DNS propagation, there was no way to recover your old DNS record values.

Thanks to Florian Weimer and his “Passive DNS replication” concept introduced in 2005, today’s Internet has many passive DNS-based tools that can help us analyze our DNS record history and check for old IP records and domain names, among other things.

While this technology’s initial intentions were mainly focused on preventing malware and avoiding trademark issues, phishing and email policy violations, almost 15 years later there are a lot of new ways to exploit the full potential of passive DNS.

Thanks to the API capabilities present in most modern programming languages, you can now integrate passive DNS data into your fully automated API for quick and instant analysis.

Top 9 reasons to use a Passive DNS API

Let’s take a look at how you can use our SecurityTrails passive DNS API to get the most out of this helpful technology.

Detect phishing domains

Having a passive DNS API in your own hands enables you to detect phishing domains easily.

At SecurityTrails you can choose to launch manual queries to detect phishing by using our web-based interface at SecurityTrails, or by using our free API plan.

Worldwide companies use our passive DNS API to run automated tests to prevent phishing domains as well as trademark issues.

Real-life example: did you know that the “Adidas” brand is mentioned in 23,254 domain names? As you can guess, a big portion of those domain names are not official, but fake and illegal businesses making money from the “Adidas” brand, and in some cases phishing domain names.

Fake Adidas domains

Learn more about this topic from our previous article: Finding Phishing Domains.

Browse your domain DNS history

One of the main goals of utilizing DNS history is to enable you to access offline DNS records for later analysis.

With a passive DNS API, you can analyze your old DNS records, check for new values, compare differences, find possible attack vectors and much more.

Historical DNS records are especially useful when you need to recover lost DNS records after deleting any value in your DNS server.

We have tons of historical DNS data for the following records:

  • A
  • AAAA
  • MX
  • NS
  • SOA
  • TXT

In this example, we started using our historical DNS data for the facebook.com domain name and found a lot of changes in the past years for all of their records. Take a look at this screenshot:

Historical facebook.com DNS data

You can do the same by using our API or online app to investigate any domain name in the world.

Improve your email reputation

Did you know that your email reputation relies heavily on your DNS server in order to work properly? Most people don’t know this, but having misconfigured DNS records may end up costing you money. How does this happen?

In order to reach the inbox of the remote server, not only is the email content important, but also a proper DNS record setup. Let’s get familiar with a few critical technical standards.

DKIM records: DKIM, also known as DomainKeys Identified Mail, is one of the most popular email authenticity methods available. It’s widely used by most modern email providers like Gmail, Yahoo and Hotmail, helping to validate the authenticity of email messages by signing emails with a private key and then validating the receiving mail server using public keys.

SPF records: SPF (Sender Policy Framework) records are used to indicate to MX servers (mail exchangers) which hosts are authorized to send mail for a domain. If you’re serious about reaching the inbox, you must set up an SPF.

DMARC records: To many, DMARC is one of the least familiar email authentication mechanisms. It’s based on DKIM and SPF standards and can help you prevent fraudulent activity by ensuring that the domain sending the email is indeed the entity they claim to be.

Marketing company email, digital marketing campaigns, newsletters and corporate email must be sent with all these records present in your DNS zone.

Of all the DNS records mentioned, the most important is the SPF. Fortunately, you can check for your SPF record setup by using our API or web toolkit, as shown in the following screenshot:

SPF records

Explore subdomains

Have you ever wondered how many subdomains facebook.com has? Or maybe yahoo.com? With our passive DNS database, you can explore the subdomains for any domain in the world.

Facebook's subdomains

At the time of this writing, Facebook seems to have around 2056 subdomains.

We’ve explored many subdomains from popular companies in the past. If you’re interested in what you’ll find, check out these posts:

You’ll be surprised at how much intel and interesting information you can find by exploring each subdomain. Sometimes you’ll find test (and vulnerable) areas of the website, development stuff, etc.

Remember, all these factors can be used against you by remote attackers. That’s why exploring your online subdomains should be a substantial part of your DNS Audit.

WHOIS history

When you mix the power of passive DNS records with WHOIS history you never imagine the results that can come up from your security research.

By using the WHOIS history you’ll be able to correlate data from the passive DNS records database.

You’ill see when they changed their WHOIS information, who their previous tech was, identify the administrative and general contact and discover their Name Servers—a pretty important detail that may reveal even more important information, such as the hosting provider.

Combining passive DNS API and WHOIS history has proven to be an excellent way to investigate security cases, as we did in the Backpage.com Seizure by the FBI, and also when webstresser.org was seized by the United States Department of Defense.

Associated domains

Finding associated domains is easy when you have as huge a domain database as we do. We keep track of around 500 million domain names (and the list is growing every second).

By combining server IP information extracted from the passive DNS database with historical WHOIS database records, we can generate huge associated domains lists like no other.

Fortunately, this feature is available by using simple API syntax. Check out this example using curl command:

curl --request GET --url 'https://api.securitytrails.com/v1/domain/facebook.com/associated?apikey=your_api_key'

In our case, we will test facebook.com to see what it shows combined with grep:

[research@securitytrails.com ~]$ curl --request GET --url 'https://api.securitytrails.com/v1/domain/facebook.com/associated?apikey=your_api_key' | grep hostname -i  
"hostname": "facebook.com",  
"hostname": "whatsapp.com",  
"hostname": "messenger.com",  
"hostname": "cdninstagram.com",  
"hostname": "fbsbx.com",  
"hostname": "oculus.com",  
"hostname": "accountkit.com",  
"hostname": "facebookbrand.com",  
"hostname": "crowdtangle.com",  
"hostname": "atdmt.com",  
"hostname": "thefacebook.com",  
"hostname": "instagram-press.com",  
"hostname": "instagram-brand.com",  
"hostname": "facebookmarketingpartners.com",  
"hostname": "momentsapp.com",  
"hostname": "atlassolutions.com",  
"hostname": "hhvm.com",  
"hostname": "facebook.net",  
"hostname": "freebasics.com",  
"hostname": "facebookdevelopers.com",  
"hostname": "facebookawards.com",  
"hostname": "parse.com",  
...  
...  

This is just a tiny portion of the power of an associated domains API endpoint, which can be really helpful when you are performing any kind of domain, whois and IP research.

Find open ports

As we all know, scanning open ports is one of the first steps taken when you’re in the process of performing a full reconnaissance and intel gathering research.

We’ve mentioned Nmap as one of the most popular port scanners in the world; in fact, we also wrote a full Nmap Command Examples guide for infosec beginners, but that’s not the only way to look up open ports.

You don’t need to rely on manual port scans to detect popular open ports like 21, 22, 80 or 443. Thanks to passive DNS data and our modern port scanning capabilities, we’re able to show you an open ports report via API for all your queries.

Open ports report

This feature is fully available in our SurfaceBrowser product, which combines passive DNS data with our proprietary security toolkit.

Fetch IP subnet information

Using our IP Explorer API endpoint can help you retrieve useful information about any IP range.

It’s not only helpful to know your IP neighbors but to get full IP subnet information from any given input as well.

Just include a specific IP address or subnet range and our API will do all the magic for you.

Take a look at the following example using curl command:

[research@securitytrails.com ~]$ curl -s --header "APIKEY:$APIKEYHERE" 'https://api.securitytrails.com/v1/explore/ip/31.13.0.0?mask=16' | jq -C

Make sure you replace the variable $APIKEYHERE with your real API key. In this case, we launched our request against 31.13.0.0/16 and parsed the data with jq command.

The expected output should show you something like this:

[research@securitytrails.com ~]$ curl -s --header "APIKEY:$APIKEYHERE" 'https://api.securitytrails.com/v1/explore/ip/31.13.0.0?mask=16' | jq -C  

{  
"endpoint": "/v1/explore/ip/31.13.0.0",  
"blocks": [  
{  
"sites": 34,  
"ip": "31.13.0.0/20",  
"current": true  
},  
{  
"sites": 128,  
"ip": "31.13.16.0/20"  
},  
{  
"sites": 130,  
"ip": "31.13.32.0/20"  
},  
{  
"sites": 98,  
"ip": "31.13.48.0/20"  
},  
{  
"sites": 12208,  
"ip": "31.13.64.0/20"  
},  

Run PTR lookups

Passive DNS datasets also allow you to check out PTR stats over time. Our powerful DNS API will help you identify PTR records for any domain name.

curl --request POST --url https://api.securitytrails.com/v1/ips/stats --header 'apikey:$YOURAPIKEY' --header 'content-type: application/json' --data '{"query": "ptr = '\''amazon.com'\''"}'

This query will return the top ptr patterns for amazon.com domain name:

[research@securitytrails.com ~]$ curl --request POST --url https://api.securitytrails.com/v1/ips/stats --header 'apikey:$YOURAPIKEY' --header 'content-type: application/json' --data '{"query": "ptr_part = '\''amazon.com'\''"}'
{
"top_ptr_patterns": [
{
"key": "#-#.amazon.com",
"count": 6787
},
{
"key": "#-#-#-#.amazon.com",
"count": 3254
},
{
"key": "smtp-out-#-#.amazon.com",
"count": 662
},
{
"key": "freeip.amazon.com",
"count": 220
},
{
"key": "ns-#.amazon.com",
"count": 47
},
{
"key": "www.amazon.com",
"count": 44
},
{
"key": "lux#-br-dcr-r#-ae#.amazon.com",
"count": 36
},
{
"key": "email#.amazon.com",
"count": 19
},
{
"key": "mm-retail-out-#.amazon.com",
"count": 19
},
{
"key": "s#-console-us-standard.console.aws.amazon.com",
"count": 19
},
{
"key": "lux#-br-agg-r#-ae#.amazon.com",
"count": 18
},
{
"key": "mm-notify-out-#-#.amazon.com",
"count": 17
},
{
"key": "sg-console-us-standard.console.aws.amazon.com",
"count": 15
},
{
"key": "mm-notify-out-#.amazon.com",
"count": 13
},
{
"key": "mm-retail-out-#-#.amazon.com",
"count": 13
}

In this case, we’re using the ptr_part query that matches the end of the ptr record, and it’s returning any ptr record ending with “amazon.com.” You can also use ptr query to match the full ptr record exactly.

Conclusion

Passive DNS data is a valuable source of intelligence data that can help your IT team and security researchers run a deep analysis of your DNS, domain and IP records.

Using our passive DNS API is the easiest way to track domain name changes over time, recover lost DNS records, relate hostnames with IPs or individuals, track down phishing sites, spoofed domains and potential network threats that you never imagined existed.

SecurityTrails has built the most advanced passive DNS database in the world, allowing you to protect your organization with all the data you need—instantaneously.

Developed for use by single security researchers, mid-size companies and enterprise-grade customers, our products will help you discover and detect security issues before anyone else.

Along with our passive DNS API, our SurfaceBrowser and data enrichment Feeds will give you the ability to cross data about subdomains, DNS, SSL certificates and IP information, ultimately helping you correlate critical information about any company in the world.


Are you ready to unveil the real power of passive DNS data? Sign up for a free API key today!