Thursday, October 6, 2011

Passive DNS

Collecting passive DNS data on your network can produce a data source of extremely high analytical value.  Because the data collection is passive, it has little (or no) impact to operations.  What is so interesting and valuable about passive DNS data you ask?  Well, for starters, it records what domain names were assigned to what IP addresses at the time those domain names were requested.  This makes all sorts of interesting analysis possible.  For example, which domain names were requested that point to IANA reserved (e.g., 192.168.0.0/16) or downright silly (e.g., 111.111.111.111) IP addresses?  This can be an indicator of compromise, as malware authors will often park their callback or second stage domains at these types of IP addresses.  Additionally, all the standard analysis that one would do on DNS logs can be done on passive DNS data as well.  For example, which domain names have been changing IP addresses frequently or have extremely short TTLs (i.e., fast flux)?  Or, as another example, which domain names have been requested periodically, or in a pattern more typical of a machine than a human-being?

Passive DNS data is a lot of fun to experiment with and analyze, and it provides a good deal of value.  Check it out!

No comments:

Post a Comment