Skip to content

Hide Navigation Hide TOC

Active DNS (2e521444-7295-4dec-96c1-7595b2df7811)

"Domain Name: Active DNS" data component captures queried DNS registry data that highlights current domain-to-IP address resolutions. This data includes both direct queries to DNS servers and records that provide mappings between domain names and associated IP addresses. It serves as a critical resource for tracking active infrastructure and understanding the network footprint of an organization or adversary. Examples:

  • DNS Query Example: nslookup example.com, dig example.com A
  • PTR Record Example: dig -x 192.168.1.1
  • Tracking Malicious Domains: DNS logs reveal repeated queries to suspicious domains like malicious-site.com. The IPs resolved by these domains may be indicators of compromise (IOCs).
  • DNS Record Types
    • A/AAAA Record: Maps domain names to IP addresses (IPv4/IPv6).
    • CNAME Record: Canonical name records, often used for redirects.
    • MX Record: Mail exchange records, used to route emails.
    • TXT Record: Can include security information like SPF or DKIM policies.
    • SOA Record: Start of authority record for domain management.
    • NS Record: Lists authoritative name servers for the domain.

This data component can be collected through the following measures:

  • System Utilities: Use built-in tools like nslookup, dig, or host on Linux, macOS, and Windows to perform active DNS queries.
  • DNS Logging
    • Windows DNS Server: Enable DNS Analytical Logging to capture DNS queries and responses.
    • Bind DNS: Enable query logging in the named.conf file.
  • Cloud Provider DNS Logging
    • AWS Route 53: Enable query logging through CloudWatch or S3:
    • Google Cloud DNS: Enable logging for Cloud DNS queries through Google Cloud Logging.
  • Network Traffic Monitoring: Use tools like Wireshark or Zeek to analyze DNS queries within network traffic.
  • Security Information and Event Management (SIEM) Integration: Aggregate DNS logs in a SIEM like Splunk to create alerts and monitor patterns.
  • Public OSINT Tools: Use OSINT platforms like VirusTotal, or PassiveTotal to collect information on domains and their associated IP addresses.
Cluster A Galaxy A Cluster B Galaxy B Level
Active DNS (2e521444-7295-4dec-96c1-7595b2df7811) mitre-data-component Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 1
Active DNS (2e521444-7295-4dec-96c1-7595b2df7811) mitre-data-component Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 1
DNS Server - T1584.002 (c2f59d25-87fe-44aa-8f83-e8e59d077bf5) Attack Pattern Active DNS (2e521444-7295-4dec-96c1-7595b2df7811) mitre-data-component 1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Active DNS (2e521444-7295-4dec-96c1-7595b2df7811) mitre-data-component 1
Active DNS (2e521444-7295-4dec-96c1-7595b2df7811) mitre-data-component Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern 1
DNS Server - T1584.002 (c2f59d25-87fe-44aa-8f83-e8e59d077bf5) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern 2