Explore Historic DNS - Search with Risk Scores

screenshot of Silent Push Explore data dashboard page

A traditional DNS lookup gives you where a selected DNS record points at that moment in time, so today if I do a lookup for bbc.co.uk it will give me 4 IPs that it points to, one of them being 151.101.0.81.

A Passive DNS search shows you a DNS history as seen in passively collected traffic. So, if I lookup a domain only seen in traffic once I will get the IP address it had at that time.

Passive Active DNS shows DNS history as collected actively every day to give a richer view that can show patterns of changes and behavior, as well as combining passive collection techniques. So, if we lookup the same domain that was only seen in traffic once but it actually had a new IP address every day for the last year, we will see each IP address it had for the year. This is what we make available in our Explore feature.

How does this information get used? Mature security teams or security vendors will use the information to track threat actors and create their own security feeds. We’ve made this easier by adding Risk Scores to the results.

All Passive Active DNS search results have a risk indicator.

So now you get an immediate visual aid to help you decide what is risky. If you want to add this to your blocklists or feeds you simply click on the checkbox and add it to a feed or a collection(draft Feed).

What else?

All of these items are also enriched with additional context to help your security team with decision making. So even if a domain or IP has not yet been seen or added to any threat feed we can give you a good indication as to whether it is likely to be used maliciously or not.

Example of an unknown domain with some suspicious traits and similarities to known bad adversary assets.

Spoofing and Brand Monitoring

This can also be applied to Spoofing queries. Lets say you search across all DNS for something that looks like your brand, but is not on your network, and- has an IP address today.

Check for live spoofing of your brand across all DNS, but exclude your network.

Results come with Risk Scores

All of your results from this query will become populated with Silent Push Risk Scores so your analysts know where to focus.

Domains pointed at an IP, so not just a registered domain, that looks like yours, with a risk score for both the domain and IP address.

This can help your team to see at-risk domains and to take action.

Register for Community Edition

Silent Push Community Edition is a free threat hunting and cyber defense platform that features a huge range of advanced offensive and defensive lookups, web content queries, and enriched data types.