DNSDB

The DNSDB® is built from Farsight Security’s Passive DNS data. In addition to the most recent information, DNSDB contains historical data going back to 2010. Farsight stores and indexes two types of data:

DNSDB makes it easy to find related domain names and IP addresses: assuming you have an initial domain name or IP address as a starting point. DNSDB can answer questions, such as:

What is Passive DNS?

“Passive DNS” or “Passive DNS replication” is a technique invented by Florian Weimer in 2004 to opportunistically reconstruct a partial view of the data available in the global Domain Name System into a central database where it can be indexed and queried. During the initial collection stage, packets between DNS resolvers and authoritative DNS servers are collected together at a central processing point. There are many steps required to process passive DNS data into a cohesive DNS database that can be queried. For more information, see What is Passive DNS?.

Limitations of Regular DNS

“Regular” DNS is a one-way view. It only shows what’s currently configured for a particular domain or IP address. It doesn’t show many key relationships, nor does it provide a historical view. DNSDB “synthesizes” many latent or implicit DNS relationships, and thereby enables a broader range of queries. For example, DNSDB makes it possible to find virtually all the domains using the same name server. Or, given an IP address, DNSDB can tell a user all the hostnames that have historically been seen using that IP address. DNSDB can do these things and much more.

How Can DNSDB Be Used?

There are many ways that security teams can use DNSDB. Some ways include:

Why Does DNSDB Work?

The internet relies heavily on the DNS, and criminals are not exempt. DNSDB exploits the fact that cyber criminals share and reuse resources. This can include sharing nameservers or sharing IP addresses. Other times cyber criminals will obtain a consecutive range of IP addresses, so finding one will often let you locate additional bad addresses in the same network neighborhood or netblock. In this regard, criminal activity can leave footprints in DNS. Using DNSDB, investigators can follow those trails even after the criminals have covered their tracks in regular DNS.

DNSDB Access Methods

Farsight’s DNSDB can be accessed via:

This document focuses on DNSDB API. This datasheet does not cover DNSDB Export. For more information on these products, please contact Farsight.

DNSDB Capabilities and limits

Access to DNSDB can be licensed in a number of ways and access can be granted via a number of interfaces and tools. These licenses and tools have different capabilities and limits that a user needs to be aware of.

This table summarizes these capabilities and limits summary:

Trial Products

Product Quota Maximum Results Duration Data Available Rate Limit Query Privacy
Maltego Free Queries 12 per hour 12 N/A 2010 to now 12 per hour No

To inquire about a demonstration of DNSDB and an opportunity for a trial API key, please request a demonstration with Farsight’s sales team at https://www.farsightsecurity.com/request-demo/.

Subscription Products

Product Quota Maximum Results Duration Data Available Rate Limit Query Privacy
Queries per Day (QPD) 1K - Unlimited 10K - 1M 1 Year 2010 to now None Yes

DNSDB API

Farsight’s DNSDB API service can be accessed many different ways. Farsight supports key portability allowing customers to use their purchased key with many different tools. Access methods include:

Delivery Method Target Audiences
API for developers Targets security application developers who can integrate DNSDB API into an existing application, or write their own front-end interface to DNSDB’s API
Company-provided demo command line clients (dnsdbq, dnsdb_query.py, etc.) Security, incident response, SOC, and research teams can easily leverage the power of DNSDB API without having to be a programmer
Third party software integrations (such as Splunk App and Maltego Transforms) Provides a convenient way for analysts to easily/automatically enhance data managed by their favorite existing tools

The DNSDB API for Developers

There are two versions of the DNSDB API developers can use:

System Requirements

DNSDB API can be accessed from any Internet connected host. DNSDB API requires the ability to create a TLS-secured “https” RESTful connection. These connections can be established from software/systems of the user’s choice.

Dependencies

As an API, there are very few absolute dependencies other than network access. DNSDB API is delivered via a RESTful HTTPS API and requires HTTPS access. Network connectivity issues, outbound firewalls, or air-gapped networks could prevent or limit access to the API server. Note: If an un-encrypted transport is required, DNSDB-Export is the only option.

Most of the dependencies for DNSDB are based on the client software integrating DNSDB. This can be anything from Splunk or Maltego integration tools, to a custom-built integration. Refer to specific dependencies and requirements for that software.

When working with the command line reference client, you must have a unix shell. Each of the API command line clients has its own requirements for being installed.

Capacity Planning

Similar to dependencies, capacity planning for DNSDB is largely based on the client software integrating DNSDB. Capacity planning is determined by your use cases.

Additional Considerations

Refer to the capacity requirements for your associated software or platform and make sure there is enough additional CPU, RAM, and storage resources to run DNSDB queries and analyze the results.

Limitations

The following are limitations with DNSDB API:

DNSDB Company-provided Demo Command Line Clients

Company-provided demo command line clients are reference implementations of the DNSDB HTTP API. Output is compliant with the Passive DNS Common Output Format. Demo command-line-interface clients are provided in dnsdbq and Python:

Implementation Description Required Prerequisites Additional Information
dnsdbq dnsdbq is one of the most feature-rich command line interfaces available for use with DNSDB API. Linux, BSD, macOS; jansson; libcurl dnsdbq
dnsdb_query.py (Python) dnsdb_query.py is a Python client for the DNSDB HTTP API. It supports features such as sorting and setting the result limit parameter. It is also embeddable as a Python module. Linux, BSD, macOS; Curl; Python 2.7.x dnsdb_query.py

note: dnsdbq is the current name of what was previously called the the dnsdb_query C client.

Third Party Software Integration (Using the DNSDB API)

By augmenting an organization’s internal log data with real-time Internet DNS information, security teams will be better able to analyze threats and adversary infrastructure and capabilities. This will enable them to identify, detect, correlate and take action on the intelligence.

Farsight works leading security platform partners to integrate Farsight solutions into their platforms. Some of the major platform integrations we support includea Anomali, Domaintools, Maltego, IBM’s Resilient system and Splunk. For a complete list of our third party integrations, please visit our Integrations page.

Application Examples

Using libcurl to make calls to the DNSDB API

Building a Demo GUI Front End for DNSDB API in Scala

Checking DNSDB by ASN

Additional Information

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.