The Domain Name System (DNS) points users to the right pages on the Internet when they key in website URLs into their browsers. It was notably built to help humans remember site addresses (using domain names) for easy access and turn these into IP addresses that computers use to identify where to go. That’s why the DNS came to be known as the Internet’s phone book. It tells users what numbers to dial to reach a person of interest.
All of the domains and their corresponding active IP address resolutions are stored momentarily in DNS servers. But what if you need to find out more about their past or “passive” resolutions?
There can also be lots of value (as this post will demonstrate) in accessing historical DNS records for certain domains or subdomains. Several domain and IP intelligence solutions, including https://reverse-ip.whoisxmlapi.com/database, pool such information over time in so-called “historical DNS databases.”
What Is a Historical DNS Database?
A historical DNS database is a repository of all the IP addresses that domains resolved to over time, depending on how long its vendor has been crawling the Web for DNS information, that is.
A historical DNS database focusing on A records can have three columns, which would usually contain the following information:
- First column: Domain name
- Second column: Date and time stamp in UNIX format, which can be converted to any time zone using a web service like Epoch Converter
- Third column: IP addresses each domain resolved to in our sample DNS database’s case
The details above are true for an A record DNS database that covers domain and IP resolutions. There are, however, several other types of historical DNS files that cover Canonical Name (CNAME), mail exchanger (MX), nameserver (NS), Start of Authority (SOA), and TXT DNS records.
How to Use a Historical DNS Database
Users can look for a domain’s IP resolutions by using the Find command on any spreadsheet application if the historical DNS database they downloaded is a comma-separated values (CSV) file.
Let’s say we wanted to find all of the IP addresses connected to the domain agroplantex[.]es. We downloaded a historical DNS database file for 26 July 2023 and queried it for the domain. According to the data, as of 2 July 2023 5:30:16 AM GMT, it resolved to four IP addresses, namely, 79[.]151[.]175[.]217, 79[.]159[.]210[.]122, 83[.]43[.]59[.]29, and 217[.]160[.]0[.]233.
Practical Uses of a Historical DNS Database
Historical DNS databases can be very useful in cybersecurity. We’ll discuss five specific applications below.
1. Mapping Out a Cybercriminal Infrastructure
Cybercriminals and attackers often have complex infrastructures for their malicious campaigns. They often don’t just use one computer or server, they tend to employ much more than that. Shutting their operation down, therefore, requires tracking down all their devices and blocking access to and from these or taking them down with the help of law enforcement agencies or cybersecurity organizations.
Doing that is sometimes possible with the help of a historical DNS database. Using the domains and IP addresses connected to a threat or an attack as query strings, you can find all other related domains and IP addresses to include them all in your blocklist and for a takedown.
Protecting your network against the malicious domain amazonblockchain[.]biz, for example, may require blocking or taking down the IP addresses 63[.]250[.]40[.]42, 69[.]49[.]230[.]157, 75[.]119[.]146[.]228, 95[.]111[.]249[.]234, 139[.]180[.]185[.]109, 157[.]90[.]243[.]193, 172[.]93[.]120[.]138, 192[.]119[.]162[.]131, and 199[.]192[.]28[.]172 as well.
2. Expanding a List of IoCs
Indicators of compromise (IoCs) that various cybersecurity companies publish are helpful for organizations that wish to stay protected from ongoing attacks.
Using IoC domains and IP addresses as query strings can help them find all connected web properties via a DNS database. Using the malicious IP address 34[.]98[.]99[.]30 from a list of IP addresses for blocking as a query string on a DNS database, for instance, would tell you it’s connected to the domain account-paypalinfo[.]com. That alone should tell you that apart from avoiding communications with 34[.]98[.]99[.]30, accessing account-paypalinfo[.]com is dangerous, too. In fact, account-paypalinfo[.]com is also dubbed “malicious.”
A malicious NS can also be included in a list of IoCs. In such a case, you can use an NS database to find connected properties that may require blocking as well.
3. Reducing Your Attack Surface
Threat actors will always try to compromise legitimate organizations’ networks and use their resources to evade detection and consequent blocking. Using legitimate domains in their attacks will reduce the chances that these will be blocked by cybersecurity solutions, after all. But you can prevent them from abusing your web properties (turning them into phishing sites or malware hosts) and using your devices (making them part of botnets) by identifying all your digital assets (identified by domains and IP addresses) aided by a historical DNS database.
CNAME, MX, NS, SOA, and TXT DNS databases can also be used to identify all your web properties that remain present in the DNS. All these need to be protected or pointed to the correct resources (your pages and not those that belong to threat actors who may have taken over them). Forgotten, unused, or dangling DNS records are susceptible to domain takeovers that could redirect users to malicious websites.
4. Enriching Your Cybersecurity Solutions
Using cybersecurity solutions, including anti-malware; security information and event management (SIEM); and security orchestration, automation, and response (SOAR), is definitely a must to ensure threat protection. But these may only cover identified threats (those that are part of published IoC lists).
Integrating a DNS database into these solutions can help you identify connected domains and IP addresses that may require blocking as well.
5. Conducting Third-Party Audits
In May 2023, the SecureLink and the Ponemon Institute report “A Crisis in Third-Party Remote Access Security” revealed that 44% of the organizations surveyed suffered from a breach in the past 12 months. And 74% of the victims cited giving too much privileged access to third parties as the reason for the compromise.
With that in mind, third-party risk assessment is a must for any company that wants to stay protected against a similar fate. Assessing your partners, suppliers, and other third parties before giving them access to your systems is possible by identifying their web properties first using a historical DNS database and making sure none of these are tagged “malicious” on blocklist sites. That should reduce your chances of letting malware, exploits, and other threats into your network.
A historical DNS database can be very useful for enhancing a company’s security posture. The five ways identified here and the examples show that. You can start enjoying the same benefits by subscribing to one to support your cybersecurity efforts.