Skip to main content
DomainTools Announces Predictive Threat Feeds - Powering Preemptive Exposure Management
Farsight TXT Record

Help The Internet -- And Yourself -- By Running a Passive DNS Sensor Node and Contributing Data To The Farsight Security DNS Database (DNSDB)(tm)

Written by: 
Joe St Sauver
Published on: 
Mar 4, 2015
On This Page
TOC Element
Share:

Introduction

Farsight Security operates a Passive DNS database called theDNSDB ™.It contains DNS data contributed by numerous volunteer Passive DNS sensor nodeoperators located all over the world.

While we greatly appreciate the data we receive from each and every one of ourcontributors, we’re always interested in adding more.

Operating a Passive DNS sensor and contributing data is technicallystraightforward. Since the data contributions focus solely on upstream cachemiss traffic, there is no privacy impact for local users.

Each Passive DNS data contributor helps the community to better understandwhat’s happening on the Internet — including providing data that will help thecommunity win the fight against cybercrime, botnets, malware, and other sortsof online abuse. Although Farsight Security is a for-profit company and wefinance our operations through subscription fees, we are committed tosupporting law enforcement agents, academic researchers, and non-profitorganizations with full or partial grants of our services. To learn more aboutordering our services, please visit ourOrder page.

Why Focus on DNS?

In an increasingly-opaque network world, Passive DNS data remains uniquelyaccessible as a “proxy measure” for virtually everything that’s happening onthe Internet. That is, whenever you visit a web page, send an email message,or do pretty much anything else online, you rely on DNS. If that DNS activityis able to be sampled, you’ve got a terrific indirect measure for thesubstantive underlying behaviors that we may NOT be able to be directlymeasure.

Thus, Passive DNS data, broadly collected and properly analyzed, canobjectively inform researchers about what’s new, what’s suddenly popular, andwhat may be going badly awry on the Internet — all more or less in real time.Passive DNS data can also be used historically to provide insights on pastInternet activity.

I’m Interested, But What About My Own Users’ Privacy?

Farsight Security has no interest in personally identifiable information (PII).We intentionally only collect DNS data upstream from caching recursive resolvers. That means we only see “cache miss” traffic, e.g., requests fordomain names that aren’t already in the local recursive resolver’s cache, andthe apparent source of those queries will always be your caching recursiveresolver, not your end user. Farsight Security can also arrange to completelysuppress collection of data from your sensor for any queries pertaining to yourown domains’ names, if that provides additional reassurance that the privacy oflocal users will be totally respected.

Why Is Farsight Security Seeking Additional Passive DNS Sensor Operators?

When it comes to DNS, Farsight Security knows that there can be substantialvariation in traffic patterns from region to region. If we were tohypothetically only get Passive DNS data from American service providers, we’doften end up missing Asian-, European- or southern hemisphere-only DNSphenomena. For example, while .com domains are very popular worldwide, inGermany, .de domains are prevalent. If we didn’t have Passive DNS sensorsproviding DNS data from Germany (and other Germanic countries), we might miss(or at least substantially underestimate) the prevalence and importance of .detraffic.

This is no different than collecting climate data. If you only observe weatherphenomena in warm locales (such as San Diego, Miami, or Honolulu), you’re goingto be poorly positioned to understand what people in cold locales (such asBuffalo, Fargo, or Fairbanks), are experiencing, particularly during thewinter! You need a wide range of measurement points in order to have a broadsense of what’s happening across the country (or around the world).

Redundant Passive DNS sensor node coverage also ensures that the FarsightSecurity data will remain robust if we lose an individual node or datacontributor. Redundancy provides excellent insurance against unexpected andotherwise unavoidable interruptions.

Who Are Some Of The Current Passive DNS Sensor Operators?

Farsight Security does not publish this information. We protect the identitiesof those who share data with us because we don’t want to accidentally perturbthe data that is contributed. That is, if the bad guys were to hypotheticallylearn that a particular service provider is working with us, they might striveto avoid that site so as not to be noticed, just as many bad guys work hard toavoid spam traps, honey pot networks, dark space telescopes, and otherInternet data collection infrastructure.

Joining The Farsight Security Passive DNS Sensor Network

In thinking about whether or not your company or organization should join oursensor collective, you may wonder, “Do we really have DNS data that would beuseful to contribute?” In many cases, yes, you really do. The sort of partnersthat we believe would likely be particularly interesting to add are listedbelow.

Select “Eyeball” Networks (Networks Where Traffic To Local Customers Dominates Traffic From Local Customers)

  • Large wireline broadband residential service providers (both here in theUnited States and abroad)
  • Cellular providers offering cellular data/4G services for the ever-growingpopulation of smart phones, tablets, and similar devices
  • Providers working from remote regions of the Internet, including serviceproviders in the southern hemisphere
  • K-12 and higher education networks (particularly data fromstate/regional/national education networks)
  • Federal, state, local and tribal government networks (again, particularlyincluding state/regional/national networks), and the internationalgovernment counterparts thereof

Select “Content Provider” Networks (Where Outbound Traffic to the Internet Tends to Dominate Inbound Traffic)

  • Cloud-based application providers, including high-density web hostingcompanies, popular web email providers, and hosted desktop providers
  • Search engine operators
  • Outsourced/third-party recursive resolver operators
  • Web URL shortener/redirector operators
  • Blocklist operators and DNS reputation service providers
  • Content distribution networks and DDoS protection/web reverse-proxy serviceproviders

Appliance Vendors and Network Software Package Authors

  • DNS appliance/network appliance companies (we’d love to have FarsightSecurity software integrated and “ready to go” with just minor configurationrequired in the management console, so that if customers want to contributedata, it can be easily shared)
  • DNS software and other network software package authors (as for theappliance case above, we’d love to see software package authors “baking in”Farsight Security’s data sharing technology, thereby making it easy forusers of that package to contribute their data, should they and FarsightSecurity decide that doing so makes sense)

Is The View Worth The Climb?

In other words, “Why should I bother sharing my DNS data with you guys?” Thisis a terrific question, and one where motivations may vary widely fromparticipant to participant:

  • Many of you understand the importance of data-driven decision making, andknow that some data may be seen from only a single source — you. The datayou share can be vitally important. If you don’t contribute your data, wemay miss potentially important events entirely. Thank you for sharing whatonly you can share!
  • Others contribute data because they explicitly want to help fight onlinecrime and cyber abuse. If that’s you, thank you for helping to create asafer Internet! When you contribute data, it potentially helps the victimsof cyber crime, incident handling teams, law enforcement agencies,researchers and many others to understand and address the attacks and otherphenomena we all confront online. The online threats you help thwart andforensically solve may be the ones that targeting your customers — or yourfriends and family.
  • Some of you may have terrific data to share, but no desire to be publiclyknown as the source of that shared data. Sharing data through FarsightSecurity can help data providers to anonymize their data and thereby expandits potential availability.
  • Contributing data to Farsight Security also ensures that if/when you useFarsight Security’s historical Passive DNS database, DNSDB ™, toresearch your own incidents, relevant data (your own data!) will already bepart of Farsight Security’s database, thereby simplifying your analysis andincreasing the likelihood that the data you need will have been observed andarchived.
  • Other contributors may simply be interested in ways to potentially reducethe cost of access to Farsight Security’s products and services. Wedefinitely recognize the value of the data our partners share, and we’rehappy to negotiate discounted rates for access to Farsight Security productsand services for our data sharing partners (in general, the more data youhave to share, the greater the discount level we can offer).
  • When you use Farsight Security’s products and services, or contribute datato Farsight Security, we’d also be happy to discuss potentially featuringyour efforts as a case study on our web site, highlighting the benefits ofour work together, IF you’d like that sort of public acknowledgement.
  • Finally, we know that some researchers may have unique data to share, but noinfrastructure from which to share it. Rather than “reinventing the wheel”or deploying duplicative (and expensive!) infrastructure of your own, whynot work with Farsight Security to broker the distribution of yourcommercial data products? Outsourcing distribution of your company’s uniquedata driven security products through Farsight Security will leave you freeto focus on what you do best, and can be a surprisingly affordable option.

OK, How’s It Work?

As discussed in the official documentation, the Farsight Passive DNS sensor works by capturing rawpackets from a network interface and reconstructing the DNS transactions thatoccurred between recursive and authoritative nameservers. It can be deployedeither directly on the recursive DNS server or on a monitoring server withaccess to a network tap or port mirror. In the latter case, multiple DNS serversmay, of course, be monitored, but both the RX and TX network directions must bemonitored since the sensor tracks query/response state.

How About Resource Consumption?

By default, the total number of entries in the query table is limited and a hardmemory limit of 512 MB is enforced on the Passive DNS sensor process. CPUutilization by the DNS sensor tends to be fairly low, even on heavily loadedrecursive servers.

I’m In, How Do I Get Started?

It’s easy! If you would like to contribute data to the Farsight Passive DNSproject, or if you have any questions, please send an email to [email protected]

Please also check out our Passive DNS Sensor FAQ.

Joe St Sauver, Ph.D. is a Distributed System Scientist for FarsightSecurity, Inc.

No items found.
Farsight TXT Record
Joe St Sauver

Heading

Login
Contact
Support
Request a Demo