DNSDB API Technical Overview
DNSDB is a database that stores and indexes the passive DNS data available via Farsight Security’s Security Information Exchange (SIE). It also contains the authoritative DNS data from top-level-domain registries provided through ICANN’s Zone File access (ZFA) program.
DNSDB contains historical data accumulated since July, 2010.
DNSDB access is available via a RESTful API that receives queries and returns results as a JSON-formatted data via a Web service. Customers are issued an API key that is used to validate their access to the service.
DNSDB makes it easy to search for individual DNS RRsets. It also provides additional metadata for search results, including the timestamps for when it was first and last first seen. It also returns the bailiwick associated with an RRset. DNSDB also allows you to perform inverse Rdata searches.
DNSDB data is organized as Resource Records (RR) and contains the contents of a DNS response. RRset is a set of 0 or more RR records. Rdata is a field within the RR that describes the resource returned in the RR. Bailiwick is a data item that describes the DNS server which can help determine if the response is from a server that is authoritative for the domain. See What is a Bailiwick in the Additional Information section below for details on the bailiwick.
DNSDB Delivery options
DNSDB can be delivered in two ways:
- DNSDB Access API: A RESTful-style API with JSON responses, available using open source command line tools, and also readily integrated into existing automated systems
- DNSDB Export: Customer-premise database instance running on customer-provided infrastructure. This format doesn’t include ZFA data
System requirements vary by the access type. Farsight’s sales representative can help you understand the requirements for the option that best fits your needs.
Suggested Applications
- Guilt by Association: Identification of a malicious network or domain, by constructing queries to discover known malicious networks and domains with similar addresses, names, or servers
- Age of Innocence / Age Discrimination: Assessment of good vs. malicious intent using a combination of factors such as the first seen timestamp and defined cutoff dates
- DNS Object History: Examination of the history of a DNS object, measurement of its churn rate, or search for configuration changes and errors
Query Attributes
- OWNER NAME (RRTYPE optional): Works for all record types. Wildcards are supported at the start or end of names
- TARGET NAME (RRTYPE optional): Works for record types having names in Rdata. Wildcards are supported at the start or end of names
- TARGET ADDRESS: Wildcards in CIDR notation indicating any IPv4 or IPv6 network address bit boundary, such as “128.45.0.0/16”, or IP ranges such as “128.45.0.0-128.45.255.255”
- LIMIT: Maximum number of elements to be returned
If you need more powerful wildcard support than supported here, you should investigate the DNSDB Flex product as an alternative.
As of July, 2022 DNSDB was changed to reduce the amount of junk wildcard domains in its database. We are gradually rolling out a change to replace multiple wildcarded DNS rrnames with a single rrname that starts with a _WILDCARD_. label. No other rrname labels contain uppercase letters, so records with this (all upper case) _WILDCARD_. were never in DNSDB before. Note that there are existing, real, domain names that contain a _wildcard_. label (all lower case).
Response Attributes
| TIME_FIRST | Time of first sighting. |
|---|---|
| TIME_LAST | Time of last sighting. |
| ZONE_TIME_FIRST | Time of first sighting if the record was received via a zone file import. |
| ZONE_TIME_LAST | Time of last sighting if the record was received via a zone file import. |
| COUNT | Number of times this result was seen in [TIME_FIRST .. TIME_LAST]. |
| RRTYPE | Resource record set type. |
| RRname | Owner of resource record set. |
| Rdata | Array of resource data records. |
| BAILIWICK | Apex of zone where found. |
DNSDB Capabilities and limits
Access to DNSDB can be licensed in a number of ways and access can be granted via a number of interfaces and tools. These licenses and tools have different capabilities and limits that a user needs to be aware of.
This table summarizes these capabilities and limits summary:
Trial Products
| Product | Quota | Maximum Results | Duration | Data Available | Rate Limit | Query Privacy |
|---|---|---|---|---|---|---|
| Maltego Free Queries | 12 per hour | 12 | N/A | 2010 to now | 12 per hour | No |
To inquire about a demonstration of DNSDB and an opportunity for a trial API key, please
request a demonstration with Farsight’s sales team https://www.farsightsecurity.com/request-demo/
Subscription Products
| Product | Quota | Maximum Results | Duration | Data Available | Rate Limit | Query Privacy |
|---|---|---|---|---|---|---|
| Queries per Day (QPD) | 1K – Unlimited | 10K – 1M | 1 Year | 2010 to now | None | Yes |
