You may have probably heard several times that the Domain Name System (DNS) is the Internet’s phonebook, as it points us to the virtual address of a website. But how about DNS history? After all, there’s no such thing as a phonebook that stores the past telephone numbers and addresses of a person.
In order to understand how DNS history works, we have to start with the basics and learn what DNS is.
What Is the DNS?
The DNS is a decentralized and organized naming system for devices connected to any network, including the Internet. Its primary function is to translate domain names to their numerical equivalents, the only language understood by computers (i.e., Internet Protocol [IP] addresses).
The DNS ensures that all domain names can be reached by resolving them to IP addresses. It doesn’t matter if you type in the most visited website or a newly created one on your browser, your computer would send a DNS query to a DNS server and obtain the website’s IP address.
Limitations of DNS Data
The DNS was created in the early days of the Internet when its global usage was still unimagined. It only deals with the present and active connections and doesn’t really pay attention to what IP addresses a domain name resolved to in the past.
But as the Internet blew up and became a household essential, cybercrime also became rampant. For this reason, experts found the need to look into DNS history, and the passive DNS technology was born.
What Is DNS History and How Does It Work?
DNS history refers to the data obtained from a passive DNS database, where past resolutions are stored. Other historical DNS records, such as mail exchange (MX) servers and nameservers (NSs) can also be found in the database.
Among the insights we can get from DNS history are:
- Changes in the IP address resolutions of a domain
- Past NSs used by the domain
- MX servers the domain used in the past
Through tools like Reverse IP Lookup that glean data from a passive DNS database, you can also see the domain names that once resolved or are still resolving to an IP address.
For illustrative purposes, let’s look up the domains that resolve to 128[.]199[.]42[.]106. Take note that this IP address has been reported on AbuseIPDB more than a thousand times for brute-force attacks. The reverse IP lookup tool returned these three domains that resolved to the IP address:
- teamspeeder[.]com
- teamspeeder[.]dk
- kaneki[.]me
Other IP addresses might be connected to hundreds of domains and subdomains, such as Google’s 8[.]8[.]8[.]8, which returned thousands of domain names.
How Is DNS History Used?
The passive DNS database, where historical DNS data is obtained, was born out of the need to address some of the limitations of the DNS. As such, DNS history is used to investigate cyber incidents and help map out a malicious domain’s footprints.
For instance, we have two IP addresses tagged in the Fobos malvertising campaign—216[.]58[.]206[.]78 and 188[.]225[.]27[.]122. DNS history shows that these domain names have resolved to the IP addresses:
- l4755b19[.]justinstalledpanel[.]com
- rbt-m[.]ru
- lhr35s11-in-f14[.]1e100[.]net
- mil07s08-in-f14[.]1e100[.]net
Various subdomains of justinstalledpanel[.]com have been seen in several malware campaigns, which could hint that the same group of threat actors could be behind some of them. The domain itself has been reported for phishing, spamming, and other malicious activities on VirusTotal.
Conclusion
The DNS is an integral part of how the Internet works, so being able to dig up DNS history has made the Web more transparent. Although it’s a relatively new capability, passive DNS enables cybersecurity teams to address malicious activities. In addition, historical DNS records can also help organizations recover zone data, when it’s accidentally or maliciously modified.