Farsight Security's Maltego DNSDB Integration
DNSDB is a Passive DNS (pDNS) historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure. DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts.
Farsight (now a part of DomainTools) collects Passive DNS data from its global sensor array. It then filters and verifies the DNS transactions before inserting them into the DNSDB, along with ICANN-sponsored zone file access download data. The end result is the highest-quality and most comprehensive Passive DNS data service of its kind – with more than 100 billion DNS records since 2010.
Farsight’s DNSDB transforms threat data into actionable, relevant threat intelligence in real time. DNSDB’s high-performance, indexed, time-series DNS intelligence data service increases the value of an organization’s existing threat intelligence and improves visibility for an organization’s security program and protect its infrastructure from current and future threats.
DNSDB makes it easy to find related domain names and IP addresses, assuming you have an initial domain name or IP address as a starting point. DNSDB can answer questions, such as:
- Where did this domain name point to in the past?
- What domain names are hosted on a given IP address?
- What domain names use a given name server?
- What fully qualified domain names exist below a delegation point?
Farsight Security have created a package of transforms allowing Maltego to retrieve related information for domains, hostnames, network addresses and ranges, and e-mail addresses. These transforms use DNSDB to find values that were observed by one of Farsight’s DNS sensors for these entities, as well as domains resolving to these entities.
The Farsight Security DNSDB transforms expand the power of Maltego by enabling correlation and contextualization with near realtime and historical DNS intelligence; also known as passive DNS data. Using the DNSDB transforms, users can expose entire networks, gain an outside-in view of their infrastructure and pivot across DNS record types including domains, IPs, NS, MX, AAAA, SOA and many more. Wildcard searches are also available to expose hostnames or Fully Qualified Domain Names (FQDNs) in the left side wildcard, associated domains in the right side wildcard, and further pivoting across IPs to expose all associated domains, FQDNs, IPs, MX, NS, and other record types.
The DNSDB Transforms for Maltego can be used in any Maltego investigation to:
- Find hostnames related to network addresses
- Illuminate the DNS (and other service) hosting infrastructure of an interesting domain and find other domains of interest
- Find historical locations of a service identified by a hostname or domain
Maltego and Farsight’s DNSDB Transform Set
Farsight’s DNSDB transform set allows Maltego to access the DNSDB to retrieve related information for domains, hostnames, network addresses and ranges, and e-mail addresses. DNSDB transforms expand the power of Maltego by enabling correlation and contextualization with near realtime and historical DNS intelligence.
Using the DNSDB transforms users can expose entire networks, gain an outside-in view of their infrastructure and pivot across DNS record types including domains, IPs, NS, MX, AAAA, SOA and many more. Wildcard searches are also available to expose hostnames or Fully Qualified Domain Names (FQDNs) in the left side wildcard, associated domains in the right side wildcard, and further pivoting across IPs to expose all associated domains, FQDNs, IPs, MX, NS, and other record types.
Uses
The DNSDB Transforms for Maltego can be used in any Maltego investigation to:
- Find hostnames related to network addresses
- Illuminate the DNS (and other service) hosting infrastructure of an interesting domain, and finding other domains of interest
- Finding historical locations of a service identified by a hostname or domain
Available Transforms
Transforms on domains include:
- Hostnames observed within the domain, optionally restricted to A, AAAA, CNAME types
- Observed nameservers (NS records) for a domain
- Observed mail servers (MX records) for a domain
Transforms on hostnames include:
- Domains observed using the hostname as a nameserver (NS)
- Domains observed using the hostname as a mail server (MX)
- TXT records observed for the hostname
- SRV records observed for the hostname
- Other hostnames referencing the hostname (e.g. CNAME records)
Additional transforms include:
- Extracting hostnames from e-mail addresses and URLs
- Finding hostnames which start with a given label “phrase”
- Finding hostnames related to a network address or address range
See the document Maltego Technical Reference or the online documentation within the Maltego system for the details on all of the available transforms.
Requirements
These transforms are available to users of Maltego CE (Free community edition), Maltego Classic (User/professional edition) and Maltego XL (Enterprise edition).
Maltego users can do a limited number of transforms with restricted returned data (12-50 records) without an API key. They can also request a 30 day trial key for evaluation that offers a higher quote and relaxed results restrictions.
Maltego Client vs API Key | Limit | CE (Free) | Classic (User) | XL (Enterprise) |
Free – No API Key | Queries | 12 per hour | 12 per hour | 12 per hour |
Free – No API Key | Max results | 12 | 50 | 50 |
FSI Subscription Key | Queries | FSI Quota | FSI Quota | FSI Quota |
FSI Subscription Key | Max Results | 12 | 10K | 65K |
Full access to Farsight DNSDB data requires a subscription and valid API key. To request a trial or learn more about the Farsight subscription services please contact Farsight Security.