Skip to main content
DomainTools Announces Predictive Threat Feeds - Powering Preemptive Exposure Management
Farsight TXT Record

DNSDB API New Features

Written by: 
Farsight Security
Published on: 
Jan 14, 2015

Introduction

Farsight Security’s DNSDB (TM) is a historical database that stores and indexes both the Passive DNS dataavailable via Farsight Security’s Security Information Exchangeas well as the authoritative DNS data that various zone operators makeavailable. DNSDB makes it easy to search for individual DNS RRsets andprovides additional metadata for search results such as first-seen andlast-seen timestamps as well as the DNS bailiwick associated with an RRset.DNSDB also has the ability to perform inverse or rdata searches.

If you’re interested in getting access, pleaseapply for an account!

DNSDB Delivery Options

DNSDB is delivered in one of three ways:

  • DNSDB Web UI: Simple web interface for executingone-off queries
  • DNSDB Export: Customer-premise database instance running oncustomer-provided infrastructure
  • DNSDB Access API: Cloud-based RESTful API withJSON responses, available using open source command line tools, and alsoreadily integrated into existing automated systems.

This article reveals new options for DNSDB Access API.

New DNSDB API Feature: Server-Side Time Filtering

Farsight Security has added some new parameters to the DNSDB API that allowDNSDB users to pre-filter search results based on the first- and last-seentimes of each RRset being before or after a certain time. There are four newparameters:

time_first_before

  • : Filter results relative to before the time first seen

time_first_after

  • : Filter results relative to after the time first seen

time_last_before

  • : Filter results relative to before the time last seen

time_last_after

  • : Filter results relative to after the time last seen

Users may provide either an absolute UNIX timestamp in UTC:

1420657758

or arelative timestamp (which preceded by -):

-86400

.

See ourAPI documentation for further details on how to usethese parameters with the API. The latest version of our dnsdb-query tool makes use of this filtering with the

--before

and

--after

options.

The following are some recipes showing how you can use this new API feature.

Return only RRsets that have been seen recently

DNSDB, our historical Passive DNS database, spans back to 2010. Certainqueries will return a lot of older results that may not be relevant if youwould prefer a more current snapshot. You can use the

time_last_after

parameter to eliminate all of the older RRsets. Here is an example thatfilters out everything older than one month:

https://api.dnsdb.info/lookup/rrset/name/example.com?time_last_after=-2592000

Return only new RRsets

If you are using DNSDB to monitor a domain name for changes or a networkaddress for new names referring to it, you can use the

time_first_after

parameter to filter out everything older than a day:

https://api.dnsdb.info/lookup/rdata/ip/198.51.100.0,24?time_first_after=-86400

Return the set of RRsets that were seen at a certain time

If you are investigating an incident and you find some network activity thatyou suspect to be botnet command and control traffic, you can combine the

time_first_before

and

time_last_after

parameters to find the list ofhostnames that were observed mapping to that address when the incidenthappened:

https://api.dnsdb.info/lookup/rdata/ip/192.0.2.0,24?time_first_before=X&time_last_after=X

Return RRsets that were only seen during a certain time interval

If you are investigating an incident where a domain name was hijacked by athird party and you want to find all of the RRsets that were only seen during atime interval you can combine the

time_first_after

and

time_last_before

parameters:

https://api.dnsdb.info/lookup/rrset/name/example.com?time_first_after=X&time_last_before=Y

Henry Stern is a Senior Distributed System Engineer for Farsight Security, Inc.

No items found.
Farsight TXT Record
Farsight Security