Via the Newly Observed Domains services, Farsight Security® Inc. provides its subscribers with the data necessary to identify new domain names and to implement appropriate risk management policies for managing new domain names when little is known about them in traditional network reputation services.

Leveraging its real-time Passive DNS telemetry feed on the Security Information Exchange (SIE), and cross-referencing that data with its industry-leading DNSDB historical database, Farsight offers a range of data solutions under the Newly Observed Domains (NOD) brand that present subscribers with real-time actionable insights on youthful domain names.

Product Architecture

Farsight’s name detection software watches the stream of passive Domain Name System (DNS) data on SIE channel 202, and uses a Bloom filter to determine domain names that are likely to be newly active, or never seen before. A second stage lookup is then performed against the DNSDB database to see if there are any historical entries that match the domain. Based on the outcome the domain name is either emitted on the Newly Active (SIE channel 211) or the Never Seen Before (SIE channel 212) channels and is also stored in snapshot file formats that can be periodically downloaded.

Features and Benefits

Requirements

Service Delivery

Real-time observations are delivered via Farsight Security Information Exchange (SIE) as follows:

Snapshots of observations over a recent period of time are formatted using the rbldnsd file format and the RPZ file format and are delivered via rsync over ssh. These snapshots include a timestamp corresponding to when each domain in the snapshot was first seen.

Service Properties

Data Format

SIE/NMSG Schema

SIE newdomain message type contains the following fields:

DOMAIN The observed domain name
TIME_SEEN The time at which the sensor first observed the domain
RRNAME The query from which the domain was extracted
RRTYPE The type of record data that was extracted
RDATA The resource records in the observed response

DNSBL Schema

The DNSBL protocol parameters for Newly Observed Domains are as follows:

0-5 minute 127.0.0.2
5-10 minute 127.0.0.3
10-30 minute 127.0.0.4
30-60 minute 127.0.0.5
1-3 hours 127.0.0.6
3-12 hours 127.0.0.7
12-24 hours 127.0.0.8

RBLDNSD File Format

The downloadable zone files will be formatted in a manner compatible with rbldnsd’s “dnset” file format. It will include the following elements:

All fields are as defined in RFC 1035. The zone’s serial number is the UNIX timestamp of when the file was created.

DNS RPZ File Format

The downloadable zone files will be formatted in a manner compatible with name servers that can load RFC 1035 compliant zones and use them for RPZ purposes. It will include the following elements:

Suggested Applications

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.