DNS History：インターネットの透明性とサイバーセキュリティ対策を強化

実践的な活用法

• DNS資産の発見

  特定のウェブアプリケーションやサービスで使用されている、関連性のあるドメイン名やサブドメイン、または隠れたドメイン名やサブドメインを洗い出すことで、資産インベントリを最新の状態に保つことができます。

• 脅威の検出

  マルウェアのホストや配布に使われているインフラやボットネットの活動を示唆する異常なDNS解決のパターンを特定します。

• 脅威アクターの監視

  脅威アクターに関連するDNS解決を監視し、悪意ある活動を暗示するパターンや異常を発見します。

• ブランド保護

  DNSレコードの変更を監視してドメイン名の乗っ取りを検知するとともに、関連ドメイン名がブランドの評判にどのような影響を与えるかを評価します。

• サードパーティリスクのスコアリング

  DNSデータを活用すれば、ドメイン名の設定変更の履歴を追跡し、関連インフラを特定することができます。また、ベンダーを含むサードパーティに関連する不審な活動を検出することも可能です。

• 不正行為の検出

  DNSのパターン、ドメイン名の所有権の変更、過去の悪意あるサーバーとの関連性などを分析することで、不正行為を特定します。

よくあるご質問

What are DNS records?

A DNS record is a data record stored in the Domain Name System (DNS) that maps domain names to specific resources, such as IP addresses, mail servers, or other services. A DNS server resolves those records to direct internet traffic and manage domain-related services. Common DNS record types include:

• A record: Maps a domain to an IPv4 address.
• AAAA record: Maps a domain to an IPv6 address.
• MX record: Specifies mail servers for email delivery.
• NS record: Lists authoritative name servers for a domain.
• TXT record: Stores text-based information, often used for domain ownership verification (e.g., SPF, DKIM, or DMARC settings) or other metadata. For example, verifying website ownership to use Google Search Console requires adding a certain TXT record to the list of host records for a domain name.
• CNAME record: Maps an alias or subdomain to another domain name. For example, it can redirect blog.example.com to www.example.com.
• SOA record (Start of Authority): Contains administrative information about the domain, such as the primary name server, the domain administrator's contact email, and the DNS zone's version number.
• PTR record (Pointer): Resolves an IP address to a domain name, commonly used in reverse DNS lookups.

To get information about a domain’s current DNS records, you can use our DNS lookup tool or DNS lookup API.

What is the DNS history of a domain name?

The DNS history of a domain name is a list of past DNS configurations, including changes to IP addresses, name servers, mail servers, and other DNS records over time. It provides insight into how a domain's infrastructure has evolved and can reveal ownership changes, migrations, or potential misuse.

Unlike a sizable portion of WHOIS data, DNS data is not redacted for privacy, so historical DNS records can be quite useful for cybersecurity purposes.

The Domain Name System was not engineered to keep track of historical records, but with them holding a lot of value, it’s natural that independent vendors have begun creating and maintaining DNS history databases.

What data can you get from DNS history?

Domain’s DNS history typically includes details such as:

• Historical A records: Changes to IPv4 address mappings.
• Historical AAAA records: Changes to IPv6 address mappings.
• Historical MX records: Changes to mail server configurations.
• Historical NS records: Updates to authoritative name servers.
• Historical TXT records: Past text-based information, often related to verification or security.
• Historical CNAME records: Changes to aliases or redirections for subdomains.
• Historical SOA records: Updates to administrative details, such as the primary name server or zone version.
• Historical PTR records: Historical mappings of IP addresses to domain names, used in reverse DNS lookups.
• Time-stamped changes and updates: A timeline showing when each record was added, removed, or updated.

This information provides a detailed timeline of a domain's DNS activity and helps uncover patterns, infrastructure changes, potential links to malicious actors, and more.

Here’s an example of using our historical DNS lookup tool for example.com that pulls historical IP to domain or domain to IP information:

What can I use historical DNS data for?

Historical DNS data has a wide range of practical applications across cybersecurity, threat intelligence, and asset management. You can use it to:

• Add DNS context to SIEM, SOAR, and TIP platforms: Enrich security systems with DNS intelligence for better decision-making.
• Accelerate threat detection and response: Identify unusual DNS changes or patterns associated with malicious activities.
• Widen asset discovery and vulnerability management: Locate unmanaged or forgotten domains, subdomains, and related assets associated through DNS records.
• Identify dangling DNS records and unsecured subdomains: Detect misconfigurations that could lead to data exposure or exploitation.
• Expand threat intelligence gathering: Analyze historical DNS records to uncover links between domains and already known threat actor infrastructure.
• Monitor changes in the DNS infrastructure of suspicious or malicious domains: Stay informed about updates that could signal new threats.
• Run SaaS service discovery analyses: Identify services and platforms linked to a domain using clues from DNS records and subdomains.

These capabilities make historical DNS data a very useful resource for improving security posture and gaining deeper insights into domain activity and associated risks.

How to check DNS history?

To check DNS history:

• Use a historical DNS lookup tool like our DNS Chronicle Lookup.
• Enter the domain name you want to investigate.
• Review the historical data on DNS records, including changes and updates over time.

Alternatively, you can refer to the WhoisXMLAPI's DNS Database Download service or use the DNS Chronicle API. These data delivery models provide detailed, time-stamped DNS records and could come in handy when you need to automate requests for historical DNS records.

How to use DNS history for security threat detection?

DNS history can help identify suspicious activity or patterns, such as:

• Sudden changes in name servers or IP addresses that could indicate repurposing a domain for a phishing or malware campaign.
• Rapid changes in A or AAAA DNS records – a technique called fast-flux that helps evade traditional detection methods, which is often an indicator of malicious activity.
• Domains with records pointing to known malicious infrastructure (based on IoCs provided by threat intelligence).

By analyzing DNS history, security teams can detect and respond to potential threats proactively.

How to use DNS history for threat actor monitoring?

DNS history can reveal connections between domains and threat actors by:

• Tracking repeated use of specific IP addresses or name servers and other patterns in DNS record changes linked to known attackers.
• Revealing additional threat actor infrastructure through DNS patterns, as well learning new details about their methods and activities.
• Monitoring threat actor infrastructure migration and proactively identifying yet-to-be-used infrastructure.

This helps cybersecurity providers keep tabs on threat actors' evolving tactics and infrastructure.

How to use DNS history for fraud detection?

DNS history aids fraud detection by uncovering:

• Record changes that align with phishing or scam activities such as rapid switching of IP addresses (A and AAAA records) or name servers.
• Use of disposable or suspicious DNS records with low TTL values or lack of legitimate MX records that normally should be present.
• Historical data linking fraudulent domains to known malicious networks such as common name servers, IP addresses, and registrars.

These insights help investigators trace and mitigate fraudulent schemes.

How to use DNS history for asset discovery?

DNS history provides a comprehensive view of domain activity, which can:

• Identify domains or subdomains tied to your organization that could pose risks if left unmonitored or used maliciously by others after expiration or transfer.
• Highlight forgotten or unmonitored digital assets such as old subdomains or backup domains that might still be publicly accessible and can serve as entry points for attackers if not secured properly.
• Uncover DNS issues like misconfigured DNS records that could expose sensitive data such as internal services, sensitive IP addresses, or cloud resources.

By leveraging DNS history, organizations can improve visibility and security of their digital assets.

How to use DNS history for brand protection?

DNS history supports brand protection by allowing you to detect:

• Cybersquatting domains impersonating your brand that have suspicious IP changes or repeated use of nameservers linked to phishing campaigns. Such changes may indicate malicious intent of the domain owners.
• Potentially malicious traffic that could signal website defacement attempts. Website application firewalls (WAFs) can block such traffic from known malicious IP addresses that are requesting access to your website.
• Suspicious subdomains linked to your own infrastructure that may signal subdomain takeover.

We recommend using DNS history together with predictive threat intelligence feeds for better results and correlation when it comes to brand protection efforts. Read our blog post to learn more about using DNS history for brand attack prevention.