Passive DNS

The Domain Name System (DNS) is a fundamental protocol of the Internet. Whenever any Internet resource, such as a web site, is accessed by name, the name is translated to a numeric Internet Protocol (IP) address.  REN-ISAC’s Passive DNS (pDNS) system, utilizing Farsight Security Inc. (FSI) infrastructure,  collects the request and response data from participating contributors, building a searchable database of IP address and domain name histories. The aggregate data, stripped of sensitive information, is shared with global collection and analysis projects operated by Farsight Security. REN-ISAC members gain access to the global data, improving their security protection and incident response capabilities. Global collections benefit through the improved quantity, timeliness, and quality of data made available.

REN-ISAC began its pDNS pilot service in 2016. It is now available to all institutions of higher education, research and education networks, and federally funded research centers.  To inquire about the service, click here, or see the “How to be a Contributor” section below. 

Why is Passive DNS information important for security operations?

Since most Internet traffic uses the DNS infructure, Passive DNS data can provide information on malware, phishing, botnets, and all kinds of malicious Internet activity. Passive DNS data is  valuable for:

    • developing threat indicators that can be applied in local security protections,
    • identifying security incidents and compromised systems, e.g. malicious domains that point into your IP address space
    • informing actions for incident response, and
    • identifying malicious infrastructure (servers, networks, botnets, etc.) for global security and law enforcement teams

What are the data sensitivity concerns? Does pDNS data link persons to the requests they make?

No personally identifiable information or other sensitive information is collected. Data is collected between the contributing organization's recursive resolving DNS server(s) and external Internet authoritative servers. There is no information linking a person to a resolution request.

How is the pDNS data collected?

A sensor, comprised of a modest Linux server and Farsight Security, Inc's [1] sensor software, is installed and operated by the contributing organization. The sensor software is open-source, permitting inspection and privacy validation by the global security community. The sensor is given a view of DNS network traffic (port 53 UDP & TCP) at the resolving server, typically via a network span port. The sensor collects (ONLY) requests made by the resolving server to authoritative servers and the corresponding replies. The sensor sends collected data to a REN-ISAC channel on the Farsight Security Information Exchange.

How is the REN-ISAC pDNS data shared?

REN-ISAC shares the collected data with Farsight Security, Inc. and with other select REN-ISAC trusted partners operating under  information sharing agreements. Farsight distributes data to vetted security researchers that maintain a contractual relationship with SIE prohibiting unauthorized redistribution, and with customers of its DNSDB service, under similar restriction.

What is the value of being a contributor?

Passive DNS data is an extremely valuable security protection and response resource, as described above. The REN-ISAC pDNS service  allows REN-ISAC members to directly benefit from global collections; improves those collections by our contributions; and opens the door for REN-ISAC access to other security intelligence resources shared by partners.

How to be a Contributor

Step 1: Decide if your institution requires a signed data sharing agreement in order to participate REN-ISAC offers two approaches: participating organizations may choose what works best in their environment:

  1. A signed Data Sharing Agreement, or 
  2. A no-signatures-required Information Sheet with which the participating organization's Information Security Officer, superior, or equivalent, must acknowledge receipt and understanding of the Information Sheet by email.

Both the Agreement and Information Sheet describe what is being collected, shared, the purpose, the absence of data sensitivity issues, how REN-ISAC will use the data, and operational considerations.

Once you determine the best approach for your organization, get the Data Sharing Agreement signed by the appropriate signatory or provide email acknowledgement of the Information Sheet as described above.

Step 2: Send contact and administrative information to REN-ISAC

Please send the following information to soc@ren-isac.net, and cc: to your institution's Information Security Officer, superior or equivalent. 

Subject: Intent to contribute data to REN-ISAC pDNS project
Name of institution:
Administrative contact:
    name:
    e-mail address:
    street address:
    phone number:

Technical contact:
    name:
    e-mail address:
    phone number:

Does your institution require a signed data sharing agreement (y/n):

REN-ISAC staff will send the institution name and contact information to Farsight Security, Inc . FSI will assign a contributor ID and username.

Step 3: Install your sensor (instructions are here)

Step 4: Send your username, public key, and sensor IP address to passivedns@farsightsecurity.com, cc'd to soc@ren-isac.net

The username was created in output of Step 2 (above); the public key is generated during sensor installation. FSI will enable uploads and communicate readiness.

Step 5: Run an integrity check on the data being collected and contributed.

REN-ISAC has a staging and integrity check channel, #196. Initially, the sensor should be configured to send to this channel. REN-ISAC staff in conjunction with the contributing site technical contact will ensure the data being sent is what the institution expects. Data sent to channel 196 is not stored and is not incorporated in any manner to the production pDNS collection.

Step 6: Begin the production data contribution

After confirming data integrity, the site's sensor configuration is adjusted to send to the REN-ISAC production channel 197.

Support

Please send technical questions and issues  to REN-ISAC staff via soc@ren-isac.net, or direct them to the REN-ISAC pdns-sig mailing list. If you wish to subscribe to the pdns-sig mailing list, send an e-mail to soc@ren-isac.net.

As needed, REN-ISAC will bring in FSI technical staff to assist.