Core PDNS

Mapping The Internet To Provide Actionable Intelligence

By mapping the current and historical activity of domains and IPs, Core’s Passive DNS (PDNS) provides Incident Response, Fraud, and Security Operation Center teams the richest source of contextual, factual DNS activity data to investigate, mitigate, and protect against cyber threats. Core’s PDNS database is the industry’s largest, mapping 93 billion domains to IPs with trillions of DNS queries observed monthly from millions of devices. Armed with facts on the activity of the Internet, security professionals can: 

  • Identify when a domain or IP has become malicious 
  • Correlate with threat intelligence to provide context to a security event 
  • Enumerate fast flux C&C infrastructure 
  • Classify entire IP blocks to be treated as malicious 
  • Track threat actors as they change their infrastructure
  • Spot patterns in operators / actors using shared infrastructure and hosting 
  • Estimate volumes of victims, rate of growth, and if a domain is still active C&C 
  • Discover specific malicious activity, especially for malicious use of dynamic DNS providers’ infrastructure
  • Investigate fraudulent use of corporate branding

 

PDNS Empowers Your Team By:

Making Threat Intelligence Actionable

You’ve just learned PIGLYEUTQQ.COM is a TeslaCrypt domain. Core’s PDNS reveals all the IPs the domain has ever resided on: 

  • 37.123.101.74 
  • 46.246.126.108 
  • ....
  • 91.196.50.241 

Core’s PDNS then shows you the related domains that have pointed to those IPs. You immediately identify more domains to block along with context on the actor’s network infrastructure. 

  • HELLOMENQQ.SU
  • HELLOWOMENQQ.SU 
  • ITSYOURTIMEQQ.SU 
  • .... 
  • HELLOWORLDQQQ.COM
     

Enhancing Forensic Discovery

You are investigating an incident where a device is potentially compromised. The device’s communications are reaching out to the domain amouc.com. Core’s PDNS shows: 

  • amouc.com has only had activity on it for two days
  • global query volumes are close to the amount of your local activity 

You immediately know this is a new domain and potentially targeted uniquely to you. Further investigation reveals customer data is being ex-filtrated using a form of DNS ex-filtration. Core’s PDNS provides you the context needed to respond quickly.

 

Providing Visibility Into Fraudulent Use of Brand

Your company is ACME Inc. You already receive reports from brand protection firms for anyone creating 2LD domain names like MYACME.COM, but you have limited visibility into other abuse. Core’s PDNS allows you to uncover abuse for sub-domain activity such as: 

  • acme.myweb.com 
  • acme.email.com 

Armed with knowledge of the abuse, activity metrics for the fraudulent site, and duration of the activity you can promptly take action to have the domain taken down.

 

How Core PDNS is Delivered

Core’s PDNS System is a dynamically available hosted service with no deployment costs. Core’s PDNS can be accessed via:

  • RESTful API: A RESTful API license key provides an automated query interface. The RESTful API is fully documented and constructed for simple interaction. 
  • Web Console: A web console interface is provided or a seat license query interface. The web console provides analyst with straightforward answers to their investigative questions. 
  • Admin Console: Both the RESTful API and Web Console are administered through a hosted Admin Console to assign and manage your license keys and account usage. 

Core’s Passive DNS system is sold as an annual subscription with pricing of the API License based on query volume and the Web Console Seat License based on number of seats. Contact us to learn more.

Sidebar Datasheet

Passive DNS is a mechanism to capture which sites are being visited at what times, with what volumes, and by how many devices. using sensors located at major DNS clusters on the Internet, Core’s PDNS system observes real-time DNS queries from millions of devices cataloging:

  • The fully qualified domain being queried (e.g. not.just. toplevel.domains.com)
  • The response data (e.g. an IPv4 address for an A record query) 
  • The timestamp of the query/response 
  • The queries coming from unique devices or subscribers 
  • The volume of queries observed for a domain/ response pair (RRSet) 
  • The type of record queried (A, AAAA, MX, CNAME, NS, etc..)
     

This data is stored in Core’s Hadoop database systems, providing Core’s PDNS customers with the current and historical relationships and activity of domains and IPs on the Internet.