DNSDB® 2.0 introduces a host of powerful new features and improvements - the biggest of which is Flexible Search. Both the DNSDB Standard Search API and the Flexible Search API support searching within specific time constaints, which we call “time fencing”. Time-fencing parameters are used for matching results based on before or after the first or last observation times for the DNS records.

By default, DNSDB Standard Search and Flexible API clients search for results throughout all our data, from 2010 on. Sometimes, you only care about recent data. An example is “what did the DNS look like in the past day?”, or “what new records started being used in the past day?”. Or maybe you want to know about a particular historical period, i.e. “what did the DNS look like between 12/1/2015 to 1/5/2016”. Or “what records were only used in that timeframe?”

Here is how to do those searches using our command-line tools dnsdbq and dnsdbflex:

The same options work for dnsdbflex.

But, there is a slight difference in behavior for the time-fencing queries when using DNSDB Standard API versus the Flexible Search API. We will illustrate this using dnsdbq and dnsdbflex, and add some corresponding screen shots from DNSDB Scout®.

Using dnsdbq, we search for all the farsightsecurity.com A records, sorting by time_last in csv form:

$ dnsdbq -r farsightsecurity.com -p csv -t A -s -k last
time_first,time_last,zone_first,zone_last,count,bailiwick,rrname,rrtype,rdata
"2013-07-17 22:08:50","2013-09-25 15:47:47",,,628,"farsightsecurity.com.","farsightsecurity.com.","A","149.20.4.207"
"2013-09-25 15:37:03","2015-04-01 06:17:25",,,6350,"farsightsecurity.com.","farsightsecurity.com.","A","66.160.140.81"
"2015-04-01 14:17:52","2018-09-27 00:29:43",,,36770,"farsightsecurity.com.","farsightsecurity.com.","A","104.244.13.104"
"2018-09-27 11:18:14","2020-08-11 19:47:37",,,7503,"farsightsecurity.com.","farsightsecurity.com.","A","104.244.14.108"
"2020-08-11 21:02:15","2020-11-06 12:30:55",,,1577,"farsightsecurity.com.","farsightsecurity.com.","A","104.244.14.95"

Converting that csv output to a table form for readability:

CSV format

Let’s look around the time stamp “2020-08-11 19:47:37” in that data. (Note that DNSDB uses UTC time, as our DNS sensors are located around the entire world.) The last two rows were seen before and after that time. Only the last row was seen only after that time. To illustrate:

Around timestamp

A Standard Search for those within or overlapping that time range (not completely in the time range, aka loosely) - this includes those also seen before that time:

$ dnsdbq -r farsightsecurity.com -p csv -t A -s -k last -A "2020-08-11 19:47:37"
time_first,time_last,zone_first,zone_last,count,bailiwick,rrname,rrtype,rdata
"2018-09-27 11:18:14","2020-08-11 19:47:37",,,7503,"farsightsecurity.com.","farsightsecurity.com.","A","104.244.14.108"
"2020-08-11 21:02:15","2020-11-06 12:30:55",,,1577,"farsightsecurity.com.","farsightsecurity.com.","A","104.244.14.95"

The dnsdbq and dnsdbflex -A option is expressed in DNSDB Scout as a Time Fencing “Seen After” parameter. Their -B option is expressed in DNSDB Scout as a Time Fencing “Seen Before” parameter. The -c option, for complete or strict, as the “Strict Mode” checkbox.

Using DNSDB Scout, you should enter “2020-08-11 19:47:37” in the “Seen After” box with “Strict Mode” unchecked for a similar answer.

Standard Search Last Seen After

Then searching results completely within the time range (with -c) - this excludes those rows also seen before that time:

$ dnsdbq -r farsightsecurity.com -p csv -t A -s -k last -A "2020-08-11 19:47:37" -c
time_first,time_last,zone_first,zone_last,count,bailiwick,rrname,rrtype,rdata
"2020-08-11 21:02:15","2020-11-06 12:30:55",,,1577,"farsightsecurity.com.","farsightsecurity.com.","A","104.244.14.95"

Using DNSDB Scout, check the “Strict Mode” box for a similar answer.

Standard Search First Seen After

A big difference between Standard Search and Flexible Search is that Flexible Search RRNames searches only the Left-Hand Side (LHS) data, shown in the green box:

Loose output

The Flex data does not have the RData values, i.e. the Right-Hand Side (RHS), in the red box, nor the other values struck-out above. Flex also has the time values, which are neither LHS nor RHS, in the blue box. Effectively, then, Flex Search has the subset of the above data, in the blue and green boxes, which effectively collapses to a single record using the earliest time_first and latest time_last:

Collapsed output

Going back to that time stamp above, if we make a loose Flex search we’ll get a result:

$ dnsdbflex --g farsightsecurity.com. -t A -A "2020-08-11 19:47:37"
{"rrname":"farsightsecurity.com.","rrtype":"A"}

Even without the -A option, we’ll get the same result:

$ dnsdbflex --g farsightsecurity.com. -t A
{"rrname":"farsightsecurity.com.","rrtype":"A"}

And with DNSDB Scout

Flex Search Last Seen After

but if we Flex search completely within the time range, we get “no results found for query”:

$ dnsdbflex --g farsightsecurity.com. -t A -A "2020-08-11 19:47:37" -c
Query status: NOERROR (no results found for query.)

Using DNSDB Scout, check the “Strict Mode” box for a similar answer.

Flex Search First Seen After

This should make sense now, as the row existed before and after the timestamp.

In the DNSDB data available to Standard Search, there is an A record with a new IP (104.244.14.95) at 2020-08-11 21:02:15 so including the right-hand-side we see completely a new row at that time. To repeat what we showed above:

$ dnsdbq -r farsightsecurity.com -p csv -t A -s -k last -A "2020-08-11 19:47:37" -c
time_first,time_last,zone_first,zone_last,count,bailiwick,rrname,rrtype,rdata
"2020-08-11 21:02:15","2020-11-06 12:30:55",,,1523,"farsightsecurity.com.","farsightsecurity.com.","A","104.244.14.95"

In summary: there are cases where time fencing with Standard Search will return more rows of data than a similar Flex Search.

References

For more information about DNSDB Time Fencing please see Joe St Sauver’s Farsight’s DNSDB Time Fencing: A Post-Attack “Time Machine”:

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.