Why contribute passive DNS data to ISC?
ISC – the Public Benefit Company that works to sustain the spirit of the Internet – is expanding the capacity of our Passive DNS System. Passive DNS provides the industry greater insight into how the cyber-criminals are using DNS to violate the Internet.
Vetted organizations are invited to join the pDNS network by configuring their DNS infrastructure to be a passive DNS sensor (pDNS). Once you join, your system becomes a part of the global pDNS network, helping to fight against cybercrime gaining you access to new and effective tools.
Passive DNS is a very scalable network design and has minimal operational impact. As an additional bonus for participating, all vetted organizations that contribute Passive DNS will have access to the DNS Database (DNSDB) at the ISC Security Information Exchange (SIE) – an investigative tool that we use to analyze the cyber-criminal’s use of DNS. By participating in this effort, you are expanding the data collected, thereby enabling greater insights into how the cyber-criminals are using DNS to exploit the Internet.
What is Passive DNS?
“Passive DNS” or “passive DNS replication” is a technique invented by Florian Weimer in 2004 to opportunistically reconstruct a partial view of the data available in the global Domain Name System into a central database where it can be indexed and queried.
Passive DNS databases are extremely useful for a variety of purposes. Malware and e-crime rely heavily on the DNS, and so-called “fast flux botnets” abuse the DNS with frequent updates and low TTLs. Passive DNS databases can answer questions that are difficult or impossible to answer with the standard DNS protocol, such as:
· Where did this domain name point to in the past?
· What domain names are hosted by a given nameserver?
· What domain names point into a given IP network?
· What subdomains exist below a certain domain name?
Joining the network by operating a passive DNS sensor is an effective and easy way to contribute to the global online anti-abuse effort. The data is ‘aggregated’, thus not linkable to the specific devices making the query.
Passive DNS Data Collection
Passive DNS only replicates the inter-server traffic between caching recursive nameservers and authoritative nameservers. Data capture only occurs when a recursive DNS cache experiences a cache miss and must query in order to obtain needed data.
Passive DNS replication is inherently both efficient and privacy preserving. Only a small portion of the network traffic generated by a DNS server needs to be captured and backhauled. This is more efficient than the traditional “DNS logging”.
No client IP addresses are ever captured in the data requested by the recursive DNS cache. The lack of the client IP addresses preserves privacy. In addition, the DNS cache data is reused. Large, busy DNS caches are thus naturally very effective at protecting the privacy of individual users.
ISC has produced an easy to install passive DNS sensor program, which can be installed directly on either production DNS servers or a monitoring server connected to a “tap” or “SPAN” port. The sensor uses libpcap to collect the upstream packets generated by the recursive DNS server and then periodically uploads the data in compressed form to collection servers operated by ISC’s Security Information Exchange (SIE) project. Extremely busy DNS servers typically produce only 1-5 megabytes of data per minute.
DNS Database (DNSDB)
Passive DNS data is uploaded into the SIE network, where it is distributed to vetted security researchers that maintain contractual relationships with SIE that prohibit unauthorized redistribution. ISC has invested a considerable amount of resources into analyzing and aggregating the large volumes of passive DNS data submitted to SIE. One of the results of this effort is the ISC Passive DNS Database (DNSDB), a database cluster that stores unique DNS records witnessed in the passive DNS data.
In exchange for providing passive DNS data to the ISC DNSDB project, vetted operators of passive DNS sensors are entitled to no-fee access to ISC DNSDB’s easy-to-use web search interface.
As can be seen in figure 2, DNSDB provides insight to criminal activity. Using a domain from SPAM E-mail, DNSDB can trace the DNS activity to uncover associated domains which have been or will be used for future SPAM.
In summer of 2013, this project was spun out of ISC into a for-profit company, Farsight Security, Inc. For more information on this service, please contact Farsight. Farsight provides DNS security information as a commercial service. ISC no longer maintains DNS.db or the SIE.
SIE DNS sensor packages:
Red Hat / CentOS and Debian:
Papers and Materials:
Florian Weimer’s original paper: