DNS 历史记录解决方案可提升互联网透明度和网络安全性

实际应用

• DNS 资产揭露

  通过发现用于特定 Web 应用程序和服务的关联或隐藏域名和子域名，从而保持资产清单的最新状态。

• 威胁监测

  识别不寻常的 DNS 解析模式，这些模式可能表明存在僵尸网络活动或用于托管或传播恶意软件的被攻陷的基础设施。

• 威胁行为者监测

  对已知威胁行为者相关的 DNS 解析、可能为恶意活动的模式或异常保持警惕。

• 品牌保护

  监测DNS记录变化，以检测域名劫持尝试，并评估相关域名如何影响品牌声誉。

• 第三方风险评分

  使用 DNS 数据来跟踪域名配置变化，识别相关联的基础设施，监测与供应商和其他第三方相关的可疑活动。

• 欺诈监测

  通过分析 DNS 模式、域名所有权变更以及与恶意服务器的先前关联来揭露欺诈行为。

常见问题

What are DNS records?

A DNS record is a data record stored in the Domain Name System (DNS) that maps domain names to specific resources, such as IP addresses, mail servers, or other services. A DNS server resolves those records to direct internet traffic and manage domain-related services. Common DNS record types include:

• A record: Maps a domain to an IPv4 address.
• AAAA record: Maps a domain to an IPv6 address.
• MX record: Specifies mail servers for email delivery.
• NS record: Lists authoritative name servers for a domain.
• TXT record: Stores text-based information, often used for domain ownership verification (e.g., SPF, DKIM, or DMARC settings) or other metadata. For example, verifying website ownership to use Google Search Console requires adding a certain TXT record to the list of host records for a domain name.
• CNAME record: Maps an alias or subdomain to another domain name. For example, it can redirect blog.example.com to www.example.com.
• SOA record (Start of Authority): Contains administrative information about the domain, such as the primary name server, the domain administrator's contact email, and the DNS zone's version number.
• PTR record (Pointer): Resolves an IP address to a domain name, commonly used in reverse DNS lookups.

To get information about a domain’s current DNS records, you can use our DNS lookup tool or DNS lookup API.

What is the DNS history of a domain name?

The DNS history of a domain name is a list of past DNS configurations, including changes to IP addresses, name servers, mail servers, and other DNS records over time. It provides insight into how a domain's infrastructure has evolved and can reveal ownership changes, migrations, or potential misuse.

Unlike a sizable portion of WHOIS data, DNS data is not redacted for privacy, so historical DNS records can be quite useful for cybersecurity purposes.

The Domain Name System was not engineered to keep track of historical records, but with them holding a lot of value, it’s natural that independent vendors have begun creating and maintaining DNS history databases.

What data can you get from DNS history?

Domain’s DNS history typically includes details such as:

• Historical A records: Changes to IPv4 address mappings.
• Historical AAAA records: Changes to IPv6 address mappings.
• Historical MX records: Changes to mail server configurations.
• Historical NS records: Updates to authoritative name servers.
• Historical TXT records: Past text-based information, often related to verification or security.
• Historical CNAME records: Changes to aliases or redirections for subdomains.
• Historical SOA records: Updates to administrative details, such as the primary name server or zone version.
• Historical PTR records: Historical mappings of IP addresses to domain names, used in reverse DNS lookups.
• Time-stamped changes and updates: A timeline showing when each record was added, removed, or updated.

This information provides a detailed timeline of a domain's DNS activity and helps uncover patterns, infrastructure changes, potential links to malicious actors, and more.

Here’s an example of using our historical DNS lookup tool for example.com that pulls historical IP to domain or domain to IP information:

What can I use historical DNS data for?

Historical DNS data has a wide range of practical applications across cybersecurity, threat intelligence, and asset management. You can use it to:

• Add DNS context to SIEM, SOAR, and TIP platforms: Enrich security systems with DNS intelligence for better decision-making.
• Accelerate threat detection and response: Identify unusual DNS changes or patterns associated with malicious activities.
• Widen asset discovery and vulnerability management: Locate unmanaged or forgotten domains, subdomains, and related assets associated through DNS records.
• Identify dangling DNS records and unsecured subdomains: Detect misconfigurations that could lead to data exposure or exploitation.
• Expand threat intelligence gathering: Analyze historical DNS records to uncover links between domains and already known threat actor infrastructure.
• Monitor changes in the DNS infrastructure of suspicious or malicious domains: Stay informed about updates that could signal new threats.
• Run SaaS service discovery analyses: Identify services and platforms linked to a domain using clues from DNS records and subdomains.

These capabilities make historical DNS data a very useful resource for improving security posture and gaining deeper insights into domain activity and associated risks.

How to check DNS history?

To check DNS history:

• Use a historical DNS lookup tool like our DNS Chronicle Lookup.
• Enter the domain name you want to investigate.
• Review the historical data on DNS records, including changes and updates over time.

Alternatively, you can refer to the WhoisXMLAPI's DNS Database Download service or use the DNS Chronicle API. These data delivery models provide detailed, time-stamped DNS records and could come in handy when you need to automate requests for historical DNS records.

How to use DNS history for security threat detection?

DNS history can help identify suspicious activity or patterns, such as:

• Sudden changes in name servers or IP addresses that could indicate repurposing a domain for a phishing or malware campaign.
• Rapid changes in A or AAAA DNS records – a technique called fast-flux that helps evade traditional detection methods, which is often an indicator of malicious activity.
• Domains with records pointing to known malicious infrastructure (based on IoCs provided by threat intelligence).

By analyzing DNS history, security teams can detect and respond to potential threats proactively.

How to use DNS history for threat actor monitoring?

DNS history can reveal connections between domains and threat actors by:

• Tracking repeated use of specific IP addresses or name servers and other patterns in DNS record changes linked to known attackers.
• Revealing additional threat actor infrastructure through DNS patterns, as well learning new details about their methods and activities.
• Monitoring threat actor infrastructure migration and proactively identifying yet-to-be-used infrastructure.

This helps cybersecurity providers keep tabs on threat actors' evolving tactics and infrastructure.

How to use DNS history for fraud detection?

DNS history aids fraud detection by uncovering:

• Record changes that align with phishing or scam activities such as rapid switching of IP addresses (A and AAAA records) or name servers.
• Use of disposable or suspicious DNS records with low TTL values or lack of legitimate MX records that normally should be present.
• Historical data linking fraudulent domains to known malicious networks such as common name servers, IP addresses, and registrars.

These insights help investigators trace and mitigate fraudulent schemes.

How to use DNS history for asset discovery?

DNS history provides a comprehensive view of domain activity, which can:

• Identify domains or subdomains tied to your organization that could pose risks if left unmonitored or used maliciously by others after expiration or transfer.
• Highlight forgotten or unmonitored digital assets such as old subdomains or backup domains that might still be publicly accessible and can serve as entry points for attackers if not secured properly.
• Uncover DNS issues like misconfigured DNS records that could expose sensitive data such as internal services, sensitive IP addresses, or cloud resources.

By leveraging DNS history, organizations can improve visibility and security of their digital assets.

How to use DNS history for brand protection?

DNS history supports brand protection by allowing you to detect:

• Cybersquatting domains impersonating your brand that have suspicious IP changes or repeated use of nameservers linked to phishing campaigns. Such changes may indicate malicious intent of the domain owners.
• Potentially malicious traffic that could signal website defacement attempts. Website application firewalls (WAFs) can block such traffic from known malicious IP addresses that are requesting access to your website.
• Suspicious subdomains linked to your own infrastructure that may signal subdomain takeover.

We recommend using DNS history together with predictive threat intelligence feeds for better results and correlation when it comes to brand protection efforts. Read our blog post to learn more about using DNS history for brand attack prevention.