How DNS History Can Help with Security Investigations

The Domain Name System (DNS) is an integral part of the World Wide Web. It resolves domain names to machine-readable IP addresses, such that google[.]com would be pointed to 8[.]8[.]8[.]8 or any of the company’s IP addresses.

The ability to track past DNS resolutions is an essential aspect of cybersecurity investigations. A list of indicators of compromise (IoCs), for instance, may still hide unreported domains and IP addresses that threat actors can reuse. Given a suspicious or malicious IP address, DNS history helps researchers and investigators answer these questions:

  • What domain names resolved to the IP address in the past?
  • Could the associated domains be related to other malicious activities?

DNS History in Action: Investigating Phishing IoCs Targeting Banks

Banks and other financial institutions are some of the favorite cyber attack targets. After all, these organizations are a gold mine from the perspective of a threat actor possibly seeking financial gains.

On 29 March 2021, an IBM X-Force Exchange report listed 359 IoCs related to a phishing campaign targeting Italian banks and financial institutions. Among the IoCs are 151 IP addresses rich in DNS history as found by reverse IP tools like these ones. We describe our findings in detail below.

Expanding the List of IoCs through DNS History Queries

Footprint expansion is the primary purpose of using DNS history in security investigations. By doing so, potential leads that are otherwise hidden could be uncovered.

Looking at a sample of 50 IP addresses, we found that around 50% of the IP addresses were most likely dedicated, or somewhat dedicated, as they each had fewer than 50 associated domain names. Historical DNS data, meanwhile, unfolded about 994 domain names that resolved to these IP addresses.

We dissected the domain names and found some text strings that repeatedly appeared and could be telltale characteristics of suspicious domains.

Common Terms Used in the Domains

The financial sector may have one of the most stringent network security policies, and understandably so. However, we found that the associated domains used generic terms that wouldn’t necessarily sound suspicious. These include the following:

  • web
  • hosting
  • business
  • mail
  • auto
  • server
  • app
  • digital
  • hotel
  • discover

Furthermore, some domains and subdomains contain text strings that may as well be blocked in a corporate network. These include “casino,” “cinema,” and “movie.”

Typosquatting Domains

Some domain names also imitated reputable companies. These are worth noting, as typosquatting is a common tactic in phishing campaigns. Examples of such domains found in the DNS history database include:

  • test[.]facebookgoogle[.]net
  • 123hponlinesupport[.]com
  • ns2[.]jasawordpress[.]com

Providing Context to the IoCs

A considerable part of cybersecurity investigations is contextualizing IoCs. Regarding the malicious IP addresses and their associated domains, it’s crucial to study them within the context of the time they appeared. Does this coincide with the reported malicious campaign?

To illustrate, let’s zoom in on 162[.]0[.]209[.]251, the first IP address on IBM X-Force Exchange’s list of IoCs. DNS history shows that only two domain names resolved to it, namely:

  • Areopagus-bigarade[.]initrdns[.]web-hosting[.]com was first seen to resolve to the IP address on 25 September 2020.
  • Business101-3[.]web-hosting[.]com, meanwhile, was first seen on 11 December 2020.

Both subdomains were last seen resolving to the IP address on 19 March 2021, or 10 days before the IBM X-Force Exchange report was published.

As this post showed, looking at DNS history can help expand and deepen cybersecurity investigations and gather more context around IP addresses found as IoCs.

Back to top button