If you work with passive DNS, from time-to-time you may have people (including even close family members!) who’ll say, “I know you say you work on that passive DNS stuff at Farsight, but what IS passive DNS? I hear you mention it from time to time, but I have NO IDEA what the heck that is or how it all works!”
It’s one thing to explain passive DNS to an audience of technical cyber security practitioners, but it’s another thing to explain passive DNS to family members over a (pre-Covid-style) holiday dinner. THAT can be a little trickier.
Let’s try and do that for y’all now, just in case you happen to find yourself discussing passive DNS over your own Christmas goose (or ham-and-red-eye-gravy) dinner.
First, recognize that most non-technical folks have never heard of the Domain Name System. That’s not to say that they’re not paying attention to “Internet stuff,” it’s just that DNS services run “in the background” and largely “just work.” That’s why they haven’t had much reason to think too much about DNS up until now.
If you mention “DNS” without a little backfill, often they’ll simply shrug and looked confused. So before you can talk about passive DNS, folks first need to get regular DNS. The classic short explanation for this is usually something like:
Regular DNS is the “Internet’s phonebook.” The Domain Name System maps easy-to-remember symbolic names (such as www.google.com) to the IP addresses computers need (such as 172.217.14.238).
If regular DNS is the “Internet’s phonebook,” passive DNS is similar to a classic “reverse directory.” For youngsters who may never have actually seen one, a reverse directory used to be used by investigators to find out who had a given phone number (or street address). That is, the reverse directory would be indexed by phone number (or street address) rather than by “last name, first name.”
Passive DNS is similar. It lets an investigator find all the hosts that have been seen using a given IP address or other network infrastructure. That’s useful if you’re a cyber investigator chasing cyber criminals such as spammers, online scam artists, companies selling knock off versions of your company’s name brand merchandise, etc.
Passive DNS also lets you take an initial clue you’ve found (such as one potentially-bad domain), and find other related domain names. This makes it harder for the bad guys to “fly under the radar” and successfully “ride out” investigations by regulators, law enforcement officers, and private cyber investigators.
Another thing that passive DNS does is it lets cyber investigators ask questions that regular DNS simply can’t answer. For example, an investigator can use passive DNS as a sort of “time machine,” “going back in time” to see how DNS might have been manipulated during a particular incident, such as a website defacement.
Passive-DNS-as-a-time-machine can also be used to leverage bad guy operational carelessness. For example, maybe a (cheap) bad guy began by hosting their online bad guy website alongside their legitimate business website or their publicly available family web pages. Over time they may have learned how to be better at being “sneaky” online, but their early carelessness will live on in passive DNS and may often prove to be their undoing.
Passive DNS can also be used by a subscribing company to see what the world knows about its own network. Everyone expects a domain name to have a server called “www.”, but what about other servers? Are there internal factory control systems that are (unexpectedly) known to (or even reachable from) the Internet? Sensitive internal financial servers that may be publicly exposed? Maybe systems (with revealing names!) associated with new “top secret” products that are under development? If so, maybe steps should be taken to improve the security of those systems.
About that point, particularly if anyone’s had a bit too much “holiday cheer,” people may worry that you’re somehow engaged in something creepy or intrusive — maybe monitoring what people are shopping for when it comes to Christmas presents, eh, Joe? If so, you might hear comments like:
We bet you’re just dying to know if you’re finally going to get that fishing rod you’ve been asking for, rather than just another cardigan? Just can’t wait to see what you’re getting, eh? Is that what passive DNS is all about?
To be perfectly clear, NO! We’re NOT interested in what individual users do online, shopping-wise or otherwise. We’re interested in online infrastructure, not end-user behavior. This means that if someone does happen to be doing some shopping online, we’d be interested in collecting information about where that store’s servers live online, not who some innocent user is, where they’re shopping from, or what they actually may be buying.
By this point, it’s usually time for pie, ice cream, and coffee, and people may be desperate to move on to something more fascinating (like family gossip, that weird noise that’s reappeared in their car, or how their favorite team is going to win in the upcoming Big Bowl game).
If so, that’s OK. Maybe, at least in some cases, you may have been able to satisfy their curiosity for another year — or at least have facilitated a well-deserved long winter’s nap!
Merry Christmas and may you have a wonderful 2021. Happy New Year!
Joe St Sauver is a Distinguished Scientist and the Director of Research for Farsight Security, Inc.
