Introduction
Farsight Security recently added a new channel to theSecurity Information Exchange (SIE) called DNS Changes.This channel combines data from Farsight’s Passive DNS channels and DNSDB product to find never before-seen DNS Resource Record Sets (RRSet) from a pool of about 30 billion known RRsets in DNSDB. Wereduce our ~200,000 message per second passive DNS data to a comfortable rate of~350 messages per second, low enough that you can do just about any processingthat you want without breaking a sweat.
DNS Changes also includes extended information about why a DNS RRSet is new.The message will tell you whether the base domain name, the hostname, theResource Record Type (RRType), and which of the individual Resource Records inthe RRSet is new.
This data is quite interesting from a security practitioner’s perspective.Consider the relatively common attack scenario when a domain owner’s account iscompromised at their registrar or DNS provider. The attacker either adds newhostnames beneath the domain, changes existing resource records, or changes thename server entry for the domain and hijacks it entirely. DNS Changes lets yousee these attacks as they happen. DNS Changes alerts you to the new hostname’screation and tells you what part of the response has changed.
You can make use of the extended information in DNS Changes to find threatsthat would be very difficult any other way. Because the data rate is low andyou can see whether or not a hostname previously existed you can track howoften a domain name has changed recently. Fast Flux Service Networks are very easy to spot because their records changeso frequently.
You can also combine this information with Farsight’s DNSDB to see what achanged record was previously. Drop everything whose RRType has beenpreviously seen to find only the changes, filter out records belonging to themajor content delivery networks, and you end up with about 20 changes persecond. Look up the most recent entry of that type for that hostname in DNSDBand you can watch the Internet change in real time.
You can see suspicious-looking domain names moving around:
name=smupcbphdbfh.lori-amber.us. type=A rdata=212.224.123.6 old_rdata=69.175.35.170
name=137junkkari.ukkomentor.com. type=A rdata=181.224.136.139 old_rdata=184.154.229.12
name=managemen.weeksdegreechoice.com. type=A rdata=212.117.42.31 old_rdata=172.103.64.19
And you can see records at dynamic DNS providers change:
name=midimaniacs.no-ip.org. type=A rdata=86.126.177.199 old_rdata=79.116.8.192
And you can even see changes to the hosting providers of domains as theyhappen:
name=gentlemarketing.com. type=A rdata=50.28.66.129 old_rdata=50.28.55.27
name=gentlemarketing.com. type=NS rdata=ns1.wppampering.com.,ns2.wppampering.com. old_rdata=ns1.nathanbriggs.com.,ns2.nathanbriggs.com.
Conclusion
With the increase in domain hijacking attacks, Farsight’s DNS Changes serviceis perfectly positioned to detect them in real-time. To learn more aboutFarsight’s DNS Changes and other unique and valuable products we offer, pleasedo not hesitate to contact us.
We look forward to hearing from you.
Henry Stern is a Senior Distributed System Engineer for Farsight Security, Inc.
Heading
