Ways to use Passive DNS: Security ProfessionalAugust 13, 2018
Security Professionals can use Passive DNS to investigate domains or IP addresses that have raised suspicion, and find out if it is a single malicious IP or a complex multi-layered operation they are dealing with.
- Investigate domains that are within the same subnet of a particular IP address – some (or most) of these may display similar behaviours as the one that has caused you concern.
- Abusers recycle their resources e.g. the same web server may host several phishing domains, not just one. With Passive DNS you can acquire the information before, or as soon as they change their domain or IP address.
- If you are dealing with a more complex operation, the abuser may have the full /24 subnet under his control and Passive DNS can potentially provide additional, deeper insights e.g. all the domains that are pointing to an IP address in the subnet.
- Passive DNS searches will also permit you to find invalid or unauthorised records in the zones you control, caused by unauthorised access or by cache poisoning/spoofing (where corrupt DNS data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect result).