DNS 历史记录解决方案可提升互联网透明度和网络安全性

实际应用

• DNS 资产揭露

  通过发现用于特定 Web 应用程序和服务的关联或隐藏域名和子域名，从而保持资产清单的最新状态。

• 威胁监测

  识别不寻常的 DNS 解析模式，这些模式可能表明存在僵尸网络活动或用于托管或传播恶意软件的被攻陷的基础设施。

• 威胁行为者监测

  对已知威胁行为者相关的 DNS 解析、可能为恶意活动的模式或异常保持警惕。

• 品牌保护

  监测DNS记录变化，以检测域名劫持尝试，并评估相关域名如何影响品牌声誉。

• 第三方风险评分

  使用 DNS 数据来跟踪域名配置变化，识别相关联的基础设施，监测与供应商和其他第三方相关的可疑活动。

• 欺诈监测

  通过分析 DNS 模式、域名所有权变更以及与恶意服务器的先前关联来揭露欺诈行为。

常见问题

DNS 记录是什么？

DNS 记录是存储在域名系统 (DNS) 中的数据记录，可将域名映射到特定资源，例如 IP 地址、邮件服务器或其他服务。DNS 服务器解析这些记录可引导互联网流量并管理与域名相关的服务。常见的 DNS 记录类型包括：

• A 记录：将域映名射到 IPv4 地址。
• AAAA 记录：将域名映射到 IPv6 地址。
• MX 记录：指定用于电子邮件传递的邮件服务器。
• NS 记录：列出域名的权威名称服务器。
• TXT 记录：存储基于文本的信息，通常用于域名所有权验证（例如 SPF、DKIM 或 DMARC 设置）或其他元数据。例如，验证网站所有权使用谷歌搜索Console 需要将某个 TXT 记录添加到域名的主机记录列表中。
• CNAME 记录：将别名或子域名映射到另一个域名。例如，它可以将 blog.example.com 重新定向到 www.example.com。
• SOA 记录（开始授权机构）：包含有关域名的管理信息，例如主名称服务器、域名管理员的联系电子邮件以及 DNS 区域的版本号。
• PTR 记录（指针）：将 IP 地址解析为域名，常用于反向 DNS 查找。

如需获取有关域名的当前 DNS 记录的信息，可使用我们的DNS 查询工具或DNS 查询 API 。

域名的 DNS 历史是什么？

The DNS history of a domain name is a list of past DNS configurations, including changes to IP addresses, name servers, mail servers, and other DNS records over time. It provides insight into how a domain's infrastructure has evolved and can reveal ownership changes, migrations, or potential misuse.

Unlike a sizable portion of WHOIS data, DNS data is not redacted for privacy, so historical DNS records can be quite useful for cybersecurity purposes.

The Domain Name System was not engineered to keep track of historical records, but with them holding a lot of value, it’s natural that independent vendors have begun creating and maintaining DNS history databases.

What data can you get from DNS history?

Domain’s DNS history typically includes details such as:

• Historical A records: Changes to IPv4 address mappings.
• Historical AAAA records: Changes to IPv6 address mappings.
• Historical MX records: Changes to mail server configurations.
• Historical NS records: Updates to authoritative name servers.
• Historical TXT records: Past text-based information, often related to verification or security.
• Historical CNAME records: Changes to aliases or redirections for subdomains.
• Historical SOA records: Updates to administrative details, such as the primary name server or zone version.
• Historical PTR records: Historical mappings of IP addresses to domain names, used in reverse DNS lookups.
• Time-stamped changes and updates: A timeline showing when each record was added, removed, or updated.

This information provides a detailed timeline of a domain's DNS activity and helps uncover patterns, infrastructure changes, potential links to malicious actors, and more.

Here’s an example of using our historical DNS lookup tool for example.com that pulls historical IP to domain or domain to IP information:

What can I use historical DNS data for?

Historical DNS data has a wide range of practical applications across cybersecurity, threat intelligence, and asset management. You can use it to:

• Add DNS context to SIEM, SOAR, and TIP platforms: Enrich security systems with DNS intelligence for better decision-making.
• Accelerate threat detection and response: Identify unusual DNS changes or patterns associated with malicious activities.
• Widen asset discovery and vulnerability management: Locate unmanaged or forgotten domains, subdomains, and related assets associated through DNS records.
• Identify dangling DNS records and unsecured subdomains: Detect misconfigurations that could lead to data exposure or exploitation.
• Expand threat intelligence gathering: Analyze historical DNS records to uncover links between domains and already known threat actor infrastructure.
• Monitor changes in the DNS infrastructure of suspicious or malicious domains: Stay informed about updates that could signal new threats.
• Run SaaS service discovery analyses: Identify services and platforms linked to a domain using clues from DNS records and subdomains.

These capabilities make historical DNS data a very useful resource for improving security posture and gaining deeper insights into domain activity and associated risks.

How to check DNS history?

To check DNS history:

• Use a historical DNS lookup tool like our DNS Chronicle Lookup.
• Enter the domain name you want to investigate.
• Review the historical data on DNS records, including changes and updates over time.

Alternatively, you can refer to the WhoisXMLAPI's DNS Database Download service or use the DNS Chronicle API. These data delivery models provide detailed, time-stamped DNS records and could come in handy when you need to automate requests for historical DNS records.

How to use DNS history for security threat detection?

DNS history can help identify suspicious activity or patterns, such as:

• Sudden changes in name servers or IP addresses that could indicate repurposing a domain for a phishing or malware campaign.
• Rapid changes in A or AAAA DNS records – a technique called fast-flux that helps evade traditional detection methods, which is often an indicator of malicious activity.
• Domains with records pointing to known malicious infrastructure (based on IoCs provided by threat intelligence).

By analyzing DNS history, security teams can detect and respond to potential threats proactively.

How to use DNS history for threat actor monitoring?

DNS history can reveal connections between domains and threat actors by:

• Tracking repeated use of specific IP addresses or name servers and other patterns in DNS record changes linked to known attackers.
• Revealing additional threat actor infrastructure through DNS patterns, as well learning new details about their methods and activities.
• Monitoring threat actor infrastructure migration and proactively identifying yet-to-be-used infrastructure.

This helps cybersecurity providers keep tabs on threat actors' evolving tactics and infrastructure.

How to use DNS history for fraud detection?

DNS history aids fraud detection by uncovering:

• Record changes that align with phishing or scam activities such as rapid switching of IP addresses (A and AAAA records) or name servers.
• Use of disposable or suspicious DNS records with low TTL values or lack of legitimate MX records that normally should be present.
• Historical data linking fraudulent domains to known malicious networks such as common name servers, IP addresses, and registrars.

These insights help investigators trace and mitigate fraudulent schemes.

How to use DNS history for asset discovery?

DNS history provides a comprehensive view of domain activity, which can:

• Identify domains or subdomains tied to your organization that could pose risks if left unmonitored or used maliciously by others after expiration or transfer.
• Highlight forgotten or unmonitored digital assets such as old subdomains or backup domains that might still be publicly accessible and can serve as entry points for attackers if not secured properly.
• Uncover DNS issues like misconfigured DNS records that could expose sensitive data such as internal services, sensitive IP addresses, or cloud resources.

By leveraging DNS history, organizations can improve visibility and security of their digital assets.

How to use DNS history for brand protection?

DNS history supports brand protection by allowing you to detect:

• Cybersquatting domains impersonating your brand that have suspicious IP changes or repeated use of nameservers linked to phishing campaigns. Such changes may indicate malicious intent of the domain owners.
• Potentially malicious traffic that could signal website defacement attempts. Website application firewalls (WAFs) can block such traffic from known malicious IP addresses that are requesting access to your website.
• Suspicious subdomains linked to your own infrastructure that may signal subdomain takeover.

We recommend using DNS history together with predictive threat intelligence feeds for better results and correlation when it comes to brand protection efforts. Read our blog post to learn more about using DNS history for brand attack prevention.