Farsight DNSDB

Overview

DNSDB is a Passive DNS (pDNS) historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts.

Farsight collects Passive DNS data from its global sensor array. It then filters and verifies the DNS transactions before inserting them into the DNSDB, along with ICANN-sponsored zone file access download data. The end result is the highest-quality and most comprehensive Passive DNS data service of its kind - with more than 100 billion DNS records since 2010.

Farsight’s DNSDB Transforms threat feeds into actionable, relevant threat intelligence in real time to increase the value of an organization’s existing threat intelligence. Its high-performance, indexed, time-series DNS intelligence data service can ultimately improve visibility for an organization’s security program and protect its infrastructure from current and future threats.

DNSDB makes it easy to find related domain names and IP addresses, assuming you have an initial domain name or IP address as a starting point. DNSDB can answer questions, such as:

• Where did this domain name point to in the past?
• What domain names are hosted on a given IP address?
• What domain names use a given name server?
• What fully qualified domain names exist below a delegation point?

Farsight Security have created a package of Transforms allowing Maltego to retrieve related information for domains, hostnames, network addresses and ranges, and e-mail addresses. These Transforms use DNSDB to find values that were observed by one of Farsight’s DNS sensors for these Entities, as well as domains resolving to these Entities.

Please take note that the most recent update includes a refresh of all Transform UI names, the functional name for use in Machines stays the same. To line up with Maltego’s naming best practices, the “[DNSDB]” reference has been moved to the end of the Transform name. More information regarding the update, as well as a table with the old and new names can be found here. A flexible search functionality has been provided to enable users to locate Transforms based on both the old and the new Transform names.

The Farsight Security DNSDB Transforms expand the power of Maltego by enabling correlation and contextualization with near real-time and historical DNS intelligence; also known as passive DNS data. Using the DNSDB Transforms users can expose entire networks, gain an outside-in view of their infrastructure and pivot across DNS record types including domains, IPs, NS, MX, AAAA, SOA and many more. Wildcard searches are also available to expose hostnames or Fully Qualified Domain Names (FQDNs) in the left side wildcard, associated domains in the right-side wildcard, and further pivoting across IPs to expose all associated domains, FQDNs, IPs, MX, NS, and other record types.

The DNSDB Transforms for Maltego can be used in any Maltego investigation to:

• Find hostnames related to network addresses.
• Illuminate the DNS (and other service) hosting infrastructure of an interesting domain and finding other domains of interest.
• Finding historical locations of a service identified by a hostname or domain.

Additional Resources

• DNSDB API Free Trial for Maltego https://www.farsightsecurity.com/maltego/
• User Guide: Using Maltego with Farsight DNSDB https://www.farsightsecurity.com/assets/media/download/DNSDB%20Maltego%20User%27s%20Guide.pdf
• DNSDB API Documentation: https://docs.dnsdb.info/

Farsight DNSDB Machines

[DNSDB] Enumerate Domain Machine

Takes a domain Entity, pulls all known hostnames, MX, NS, TXT, grabs IPs for *.domain -> Netblocks -> ASN

Farsight DNSDB Transforms

[DNSDB] Records with this value

Transform Settings

Transform Meta Info

[DNSDB] To DNSNames with this value

Transform Settings

Transform Meta Info

Variants

[DNSDB] To DNSNames with this IP

Transform Settings

Transform Meta Info

[DNSDB] To DNSNames from this IPv6 Address

Transform Settings

Transform Meta Info

[DNSDB] Domains using this MX

Transform Settings

Transform Meta Info

[DNSDB] Domains using this NS

Transform Settings

Transform Meta Info

[DNSDB] To records with this hostname

Transform Settings

Transform Meta Info

Variants

[DNSDB] To A Records for this DNSName

Transform Settings

Transform Meta Info

[DNSDB] To AAAA Records for this DNSName

Transform Settings

Transform Meta Info

[DNSDB] To MX for this DNSName

Transform Settings

Transform Meta Info

[DNSDB] To NS for this DNSName

Transform Settings

Transform Meta Info

[DNSDB] To SOA Records for this DNSName

Transform Settings

Transform Meta Info

[DNSDB] To SRV Records for this DNSName

Transform Settings

Transform Meta Info

[DNSDB] To TXT Records for this DNSName

Transform Settings

Transform Meta Info

[DNSDB] Lookup MX for this Domain

Transform Settings

Transform Meta Info

[DNSDB] Lookup NS for this Domain

Transform Settings

Transform Meta Info

[DNSDB] To DNSNames from this email

Transform Settings

Transform Meta Info

[DNSDB] MX from E-mail address

Transform Settings

Transform Meta Info

[DNSDB] To DNSNames from this URL

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$dnsname

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$dnsname/A

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$dnsname/AAAA

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$dnsname/CNAME

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$domain

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$domain/A

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$domain/AAAA

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$domain/CNAME

Transform Settings

Transform Meta Info

[DNSDB] Lookup *.$phrase

Transform Settings

Transform Meta Info

[DNSDB] Lookup $dnsname.*

Transform Settings

Transform Meta Info

[DNSDB] Lookup $dnsname.*/A

Transform Settings

Transform Meta Info

[DNSDB] Lookup $dnsname.*/AAAA

Transform Settings

Transform Meta Info

[DNSDB] Lookup $dnsname.*/CNAME

Transform Settings

Transform Meta Info

[DNSDB] Lookup $domain.*

Transform Settings

Transform Meta Info

[DNSDB] Lookup $domain.*/A

Transform Settings

Transform Meta Info

[DNSDB] Lookup $domain.*/AAAA

Transform Settings

Transform Meta Info

[DNSDB] Lookup $domain.*/CNAME

Transform Settings

Transform Meta Info

[DNSDB] lookup $phrase.*

Transform Settings

Transform Meta Info