Introduction

DNSDB is a database that stores and indexes both the passive DNS data available via Farsight Security’s Security Information Exchange (SIE) as well as the authoritative DNS data that various zone operators make available. DNSDB makes it easy to search for individual DNS RRsets and provides additional metadata for search results—such as first seen and last seen timestamps and the DNS bailiwick associated with an RRset. DNSDB also has the ability to perform inverse or rdata searches.

The Farsight DNSDB API Documentation can be found at https://api.dnsdb.info/

DNSDB Capabilities and limits

Access to DNSDB can be licensed in a number of ways and access can be granted via a number of interfaces and tools. These licenses and tools have different capabilities and limits that a user needs to be aware of.

This table summarizes these capabilities and limits summary:

Trial Products

Product Quota Maximum Results Duration Data Available Rate Limit Query Privacy
Maltego Free Queries 12 per hour 12 N/A 2010 to now 12 per hour No

To inquire about a demonstration of DNSDB and an opportunity for a trial API key, please request a demonstration with Farsight’s sales team:

Subscription Products

Product Quota Maximum Results Duration Data Available Rate Limit Query Privacy
Queries per Day (QPD) 1K - Unlimited 10K - 1M 1 Year 2010 to now None Yes

User Guide Notes

$ APIKEY="QmIodGqF12TKOf8bqBe6S6WxvZ4LTtzP1VlS09g0UApw28gedka545OcumVW4WHkB"

Please note the API calls below all use API Versions 2.

Primary Pivots

When using the Farsight DNSDB API for historical DNS investigations, there are five primary pivots of which one should be aware:

  1. Name ‐> Answers (names and IPs)
  2. Wildcard left hand side
  3. Wildcard right hand side
  4. IP ‐> Names
  5. Name ‐> Names

Name ‐> Answers

A name is specified and historical answers associated with the name are returned. Common records types to be returned would be A, AAAA, NS, MX, SOA, TXT, etc. If no record type is specified, all record types will be returned.

Hostname

Hostname: www.fsi.io

When investigating a hostname/FQDN, you will often only get a few record types back. Often an investigator might obtain additional value from the base level domain. See the next section as an example:

$ curl -s -H 'Accept: application/x-ndjson' -H "X-API-Key: $APIKEY" \
     "https://api.dnsdb.info/dnsdb/v2/lookup/rrset/name/www.fsi.io?limit=10000"

Second Level Domain

Hostname: fsi.io

$ curl -s -H 'Accept: application/x-ndjson' -H "X-API-Key: $APIKEY" \
    "https://api.dnsdb.info/dnsdb/v2/lookup/rrset/name/fsi.io?limit=10000"

Wildcard left hand side

This search effectively enumerates all of the sub-domains of a second level domains.

$ curl -s -H 'Accept: application/x-ndjson' -H "X-API-Key: $APIKEY" \
    "https://api.dnsdb.info/lookup/dnsdb/v2/rrset/name/*.fsi.io?limit=10000"

Wildcard right hand side

This search effectively enumerates other TLDs the ASCII name can be seen in, as well as where the ASCII name can be see as a sub-domain. It is not a regex search.

$ curl -s -H 'Accept: application/x-ndjson' -H "X-API-Key: $APIKEY" \
    "https://api.dnsdb.info/dnsdb/v2/lookup/rrset/name/farsightsecurity.*?limit=10000"

IP ‐> Names

A single IP address

This search returns all names that have pointed to the IP address specified (/32).

$ curl -s -H 'Accept: application/x-ndjson' -H "X-API-Key: $APIKEY" \
    "https://api.dnsdb.info/dnsdb/v2/lookup/rdata/ip/104.244.13.104?limit=10000"

A CIDR range

This search returns all names that have pointed to the CIDR Range specified (/24).

$ curl -s -H 'Accept: application/x-ndjson' -H "X-API-Key: $APIKEY" \
    "https://api.dnsdb.info/dnsdb/v2/lookup/rdata/ip/104.244.13.0,24?limit=10000"

Name ‐> Names

This search returns any names pointing to a name. A name pointing to a name as its NS record is a good example of its usefulness.

$ curl -s -H 'Accept: application/x-ndjson' -H "X-API-Key: $APIKEY" \
    "https://api.dnsdb.info/dnsdb/v2/lookup/rdata/name/ns1.infocity.club/NS?limit=10000"

Considerations

Things to consider when implementing DNSDB API:

  1. When the plan is to truncate answers displayed to the user, you will often want to make a much larger query to the API to ensure you receive the most recent results. Query limit of 10,000 at a minimum.
  2. The data returned by the API is not sorted, you will often want to sort the data by time_last. Often the most recent DNS results are of the most value to the investigator.
  3. Email addresses found in SOA records make a good pivot into other databases like historical WHOIS.
  4. In a graphical UI, being able to pivot between names and IP addressees as hyperlinks is a often a good user experience.
  5. The ability to filter (hide) various DNS record types can make it easier to parse through the passive DNS results.

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.