SANS had the opportunity to review Farsight Security’s Passive DNS Database (DNSDB), a passive DNS database designed to help investigators enhance the efficiency and effectiveness of their threat hunting investigations and take action on threats. This was a unique product review for SANS because the DNSDB platform is a large data engine that can be queried, rather than a “packaged platform/product” as is the case for many of our other reviews.

In this review, SANS used DNSDB to explore numerous ways that passive historical DNS data can be used for operational, security, and even business-focused use cases.

The key takeaways from their assessment include the following:

  • The DNSDB platform was easy to access via both direct API and command-line interface (CLI) utilities.
  • With DNSDB Scout, Farsight’s comprehensive, custom dashboard, we were able to quickly begin creating DNSDB queries from our web browser.
  • DNSDB Scout made it easy to create both simple keyword searches and regular expression searches using Flexible Search and the DNSDB command line.
  • The time fencing and sorting features allowed us to limit query results solely to the data we wanted, saving us time.
  • We were able to use the context of search results to lower the risks of the scenarios we tested, including phishing and malware infections, and improve mail defenses.

Paper by: Dave Shackleford