DNS Resolutions
  • 10 Mar 2023
  • 5 Minutes to read
  • Dark
    Light

DNS Resolutions

  • Dark
    Light

Article Summary

For Host Indicators, you can use DNS resolution tracking to track ongoing resolution changes and view Addresses that have resolved to the Host, presently or historically; for Address Indicators, DNS resolutions reveal the Hosts that have resolved to an Address, presently or historically. This capability allows for the automated creation of associations between the Host and the Address, as well as enables easy pivoting.

New Details Screen

Host Indicators

Enable DNS Resolution Tracking

To enable DNS resolution tracking for a Host Indicator, select the Enable DNS Tracking checkbox at the upper-right corner of the DNS Resolution card on the Overview tab of the Indicator’s Details screen (Figure 1).

Figure 1_DNS Resolutions_7.0.2

 

Note
It may take up to 90 minutes for DNS information to populate after selecting the Enable DNS Tracking checkbox.

Viewing DNS Resolution History

For Host Indicators, the DNS Resolution card (Figure 1) displays the Addresses that have resolved to the Host, presently or historically; the date and time of the resolution; and the city, country, organization, and autonomous system number (ASN) associated with each Address.

Address Indicators

For Address Indicators, the DNS Resolution card (Figure 2) is available on the Overview tab of the Indicator’s Details screen. This card displays Hosts that have resolved to the Address, presently or historically, and the date and time of each resolution.

Figure 2_DNS Resolutions_7.0.2

 

Important
Although the Enable DNS Tracking checkbox is displayed on the DNS Resolution card of an Address Indicator’s Details screen, this checkbox does not function as of ThreatConnect version 7.0.2.

Legacy Details Screen

Host Indicators

Enabling DNS Resolution Tracking

To enable DNS resolution tracking for a Host Indicator, select the DNS checkbox in the Details card on the Overview tab of the Indicator’s legacy Details screen (Figure 3).

Figure 3_DNS Resolutions_7.0.2

 

Note
It may take up to 90 minutes for DNS information to populate after selecting the DNS checkbox.

Viewing DNS Resolution History and Passive DNS

On a Host Indicator’s legacy Details screen, click the DNS tab to display the DNS screen (Figure 4).

Figure 4_DNS Resolutions_7.0.2

 

The DNS Resolution History section of the screen lists the Addresses that have resolved to the Host Indicator, presently or historically. A Host's DNS resolutions will be added as Address Indicators in the same owner as that of the Host and associated to the Host automatically.

The Passive DNS section of the screen, if available, provides the ability to view a list of the subdomain resolutions and historic IP address resolutions for the Host.

Click the SUBDOMAINS button on the Passive DNS section of the screen to display a table of subdomain resolutions, with columns for when they were first and last seen (Figure 5).

Important
The Passive DNS feature will be available only if an Organization Administrator has entered a Farsight Security™ API key on the Organization Settings screen.

Figure 5_DNS Resolutions_7.0.2

 

Click the HISTORIC IPS button on the Passive DNS section to view the Host’s IP address resolutions. A list of Address Indicators to which the Host has previously resolved will be displayed.

Importing Subdomains and Historic IP Addresses

  1. Click the IMPORT button at the bottom of the table (Figure 5) to import the data displayed in the Subdomains or Historic IPS tables as Host Indicators and Address Indicators, respectively, into ThreatConnect. A new tab will open with the Validate step of the Import Indicators screen displayed (Figure 6).

    Figure 6_DNS Resolutions_7.0.2

     

    • Owner: Select the Organization, Community, or Source into which all selected Indicators will be imported.
    • Select the checkbox for each Indicator that you want to import into ThreatConnect.
    • Click the Next button.
  2. The Confirm step will be displayed (Figure 7).

    Graphical user interface, application, Teams  Description automatically generated

     

    • Description: Click EditPencil icon_Light grayto enter a Description that will be applied to all Indicators to be imported.
    • Source: By default, the Source is set to Imported from ThreatConnect Passive DNS. Click EditIcon  Description automatically generatedto modify the Source for all Indicators to be imported.
    • Threat Rating: Use the skull icons to set the Threat Rating for all Indicators to be imported.
    • Confidence Rating: Use the slider to set the Confidence Rating for all Indicators to be imported.
    • DNS: Select the checkbox to enable DNS resolution tracking for all Host Indicators to be imported. If importing Historic IPS data as Address Indicators, this checkbox will not be displayed.
    • Whois: Select the checkbox to enable the WHOIS feature for all Host Indicators to be imported. If importing Historic IPS data as Address Indicators, this checkbox will not be displayed.
    • Click the Next button.
  3. The Labels step will be displayed (Figure 8).

    Graphical user interface, application, Teams  Description automatically generated

     

    • Security Labels: Select Security Labels to apply to all Indicators to be imported, if desired.
    • Tags: Enter Tags to apply to all Indicators to be imported, if desired. To view a list of Tags recently used, click Recent Tags….
    • Click the Next button.
  4. The Save step will be displayed (Figure 9). To associate the Indicators to be imported with a Group, follow Steps 5–8. Otherwise, click the SAVE button to complete the import process and view the imported Indicators on the Browse screen.

    Graphical user interface, application  Description automatically generated

     

  5. Click the + NEW ASSOCIATION button to associate the Indicators to a Group. The Select an Association window will be displayed (Figure 10).

    Graphical user interface, application, Teams  Description automatically generated

     

  6. Select a Group type from the Select Type dropdown menu. All Groups of the selected type will be displayed. If desired, enter text in the Filter box to filter the results further.
  7. Select one or more of the displayed Groups, and then click the SAVE button (Figure 10). Selected Groups will be displayed in the table at the bottom of the Save screen (Figure 9).
    Note
    Only one type of Group may be added at a time from the Select an Association window. To add more than one type of Group, click the + NEW ASSOCIATION button in Figure 9 again and select a different type of Group.
    Note
    Once a Group has been added to the table, it cannot be removed. The only way to exclude the Group is to click the CANCEL button and restart the Indicator import process.
  8. Click the SAVE button to complete the import process and view the imported Indicators on the Browse screen.

Address Indicators

On an Address Indicator’s legacy Details screen, click the DNS Resolutions tab to view Hosts that have resolved to the Address (Figure 11).

Graphical user interface  Description automatically generated

 

The Passive DNS section, if available, provides the ability to look up historic Host resolutions. Click the HISTORIC DOMAINS button to display a list of Host Indicators that have previously resolved to the Address (Figure 12).

Important
The Passive DNS feature will be available only if an Organization Administrator has entered a Farsight Security API key on the Organization Settings screen.

Graphical user interface, table  Description automatically generated

 

Click the IMPORT button at the bottom of the table to import and associate the displayed Host Indicators. See the “Importing Subdomains and Historic IP Addresses” section for steps on how to complete the import process.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
Farsight Security™ is a trademark of Farsight Security, Inc.

20030-02 v.12.A


Was this article helpful?