Domain Name

Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)

ID: DS0038
Platform: PRE
Collection Layer: OSINT
Version: 1.0
Created: 20 October 2021
Last Modified: 16 April 2025

Data Components

Domain Name: Active DNS

"Domain Name: Active DNS" data component captures queried DNS registry data that highlights current domain-to-IP address resolutions. This data includes both direct queries to DNS servers and records that provide mappings between domain names and associated IP addresses. It serves as a critical resource for tracking active infrastructure and understanding the network footprint of an organization or adversary. Examples:

  • DNS Query Example: nslookup example.com, dig example.com A
  • PTR Record Example: dig -x 192.168.1.1
  • Tracking Malicious Domains: DNS logs reveal repeated queries to suspicious domains like malicious-site.com. The IPs resolved by these domains may be indicators of compromise (IOCs).
  • DNS Record Types
    • A/AAAA Record: Maps domain names to IP addresses (IPv4/IPv6).
    • CNAME Record: Canonical name records, often used for redirects.
    • MX Record: Mail exchange records, used to route emails.
    • TXT Record: Can include security information like SPF or DKIM policies.
    • SOA Record: Start of authority record for domain management.
    • NS Record: Lists authoritative name servers for the domain.

This data component can be collected through the following measures:

  • System Utilities: Use built-in tools like nslookup, dig, or host on Linux, macOS, and Windows to perform active DNS queries.
  • DNS Logging
    • Windows DNS Server: Enable DNS Analytical Logging to capture DNS queries and responses.
    • Bind DNS: Enable query logging in the named.conf file.
  • Cloud Provider DNS Logging
    • AWS Route 53: Enable query logging through CloudWatch or S3:
    • Google Cloud DNS: Enable logging for Cloud DNS queries through Google Cloud Logging.
  • Network Traffic Monitoring: Use tools like Wireshark or Zeek to analyze DNS queries within network traffic.
  • Security Information and Event Management (SIEM) Integration: Aggregate DNS logs in a SIEM like Splunk to create alerts and monitor patterns.
  • Public OSINT Tools: Use OSINT platforms like VirusTotal, or PassiveTotal to collect information on domains and their associated IP addresses.

Domain Name: Active DNS

"Domain Name: Active DNS" data component captures queried DNS registry data that highlights current domain-to-IP address resolutions. This data includes both direct queries to DNS servers and records that provide mappings between domain names and associated IP addresses. It serves as a critical resource for tracking active infrastructure and understanding the network footprint of an organization or adversary. Examples:

  • DNS Query Example: nslookup example.com, dig example.com A
  • PTR Record Example: dig -x 192.168.1.1
  • Tracking Malicious Domains: DNS logs reveal repeated queries to suspicious domains like malicious-site.com. The IPs resolved by these domains may be indicators of compromise (IOCs).
  • DNS Record Types
    • A/AAAA Record: Maps domain names to IP addresses (IPv4/IPv6).
    • CNAME Record: Canonical name records, often used for redirects.
    • MX Record: Mail exchange records, used to route emails.
    • TXT Record: Can include security information like SPF or DKIM policies.
    • SOA Record: Start of authority record for domain management.
    • NS Record: Lists authoritative name servers for the domain.

This data component can be collected through the following measures:

  • System Utilities: Use built-in tools like nslookup, dig, or host on Linux, macOS, and Windows to perform active DNS queries.
  • DNS Logging
    • Windows DNS Server: Enable DNS Analytical Logging to capture DNS queries and responses.
    • Bind DNS: Enable query logging in the named.conf file.
  • Cloud Provider DNS Logging
    • AWS Route 53: Enable query logging through CloudWatch or S3:
    • Google Cloud DNS: Enable logging for Cloud DNS queries through Google Cloud Logging.
  • Network Traffic Monitoring: Use tools like Wireshark or Zeek to analyze DNS queries within network traffic.
  • Security Information and Event Management (SIEM) Integration: Aggregate DNS logs in a SIEM like Splunk to create alerts and monitor patterns.
  • Public OSINT Tools: Use OSINT platforms like VirusTotal, or PassiveTotal to collect information on domains and their associated IP addresses.
Domain ID Name Detects
Enterprise T1583 Acquire Infrastructure

Monitor for queried domain name system (DNS) registry data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Monitor queried domain name system (DNS) registry data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

Enterprise T1584 Compromise Infrastructure

Monitor for queried domain name system (DNS) registry data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Monitor for queried domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.002 DNS Server

Monitor for queried domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Domain Name: Domain Registration

"Domain Name: Domain Registration" data component captures information about the assignment, ownership, and metadata of domain names. This information is often sourced from registries like WHOIS and includes details such as registrant names, contact information, registration dates, expiration dates, and registrar details. This data is invaluable for tracking domain ownership, detecting malicious domain registrations, and identifying trends in adversary behavior. Examples:

  • Registrant Information: WHOIS lookup of example.com
  • Registration and Expiration Dates: A domain registered a week before being used in phishing attacks.
  • Domain Status: Status codes like clientTransferProhibited or serverHold indicate domain restrictions or potential hijacking activity.
  • Name Server Information: Name servers point to a public DNS provider often associated with malicious campaigns.
  • Privacy Protection: A domain uses WHOIS privacy protection to hide registrant details.

This data component can be collected through the following measures:

  • WHOIS Services: Use tools or services to perform WHOIS lookups:
  • WHOIS APIs: Automate domain registration lookups with APIs:
  • Registrar Platforms: Directly query domain registrars (e.g., GoDaddy, Namecheap) for detailed registration data.
  • Threat Intelligence Platforms: Integrate domain registration data from services like Recorded Future, RiskIQ, or PassiveTotal for enriched analysis.

Domain Name: Domain Registration

"Domain Name: Domain Registration" data component captures information about the assignment, ownership, and metadata of domain names. This information is often sourced from registries like WHOIS and includes details such as registrant names, contact information, registration dates, expiration dates, and registrar details. This data is invaluable for tracking domain ownership, detecting malicious domain registrations, and identifying trends in adversary behavior. Examples:

  • Registrant Information: WHOIS lookup of example.com
  • Registration and Expiration Dates: A domain registered a week before being used in phishing attacks.
  • Domain Status: Status codes like clientTransferProhibited or serverHold indicate domain restrictions or potential hijacking activity.
  • Name Server Information: Name servers point to a public DNS provider often associated with malicious campaigns.
  • Privacy Protection: A domain uses WHOIS privacy protection to hide registrant details.

This data component can be collected through the following measures:

  • WHOIS Services: Use tools or services to perform WHOIS lookups:
  • WHOIS APIs: Automate domain registration lookups with APIs:
  • Registrar Platforms: Directly query domain registrars (e.g., GoDaddy, Namecheap) for detailed registration data.
  • Threat Intelligence Platforms: Integrate domain registration data from services like Recorded Future, RiskIQ, or PassiveTotal for enriched analysis.
Domain ID Name Detects
Enterprise T1583 Acquire Infrastructure

Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.[2] Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

Enterprise T1584 Compromise Infrastructure

Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.

.001 Domains

Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.

Enterprise T1665 Hide Infrastructure

Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information, and in monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain.

Domain Name: Passive DNS

"Domain Name: Passive DNS" captures logged historical and real-time domain name system (DNS) data. This includes records of domain-to-IP address resolutions over time, enabling analysts to track the evolution of domain infrastructure, uncover historical patterns of use, and detect malicious activities tied to domains and their associated IP addresses. Examples:

  • Historical Resolutions
  • Shared IP Usage
  • Temporal Patterns
  • Malicious Domain Clustering
  • Historical Lookback

This data component can be collected through the following measures:

  • Passive DNS Platforms: Use platforms that specialize in passive DNS collection and analysis:
  • Tools: Farsight DNSDB, RiskIQ PassiveTotal, PassiveDNS.
  • Threat Intelligence Feeds: Integrate passive DNS data from commercial or open-source threat intelligence providers.
  • Custom DNS Collectors: Deploy custom tools to capture DNS traffic at the network level for analysis.
  • Cloud DNS Services: Leverage cloud DNS services (e.g., AWS Route 53, Azure DNS) that maintain DNS query logs.

Domain Name: Passive DNS

"Domain Name: Passive DNS" captures logged historical and real-time domain name system (DNS) data. This includes records of domain-to-IP address resolutions over time, enabling analysts to track the evolution of domain infrastructure, uncover historical patterns of use, and detect malicious activities tied to domains and their associated IP addresses. Examples:

  • Historical Resolutions
  • Shared IP Usage
  • Temporal Patterns
  • Malicious Domain Clustering
  • Historical Lookback

This data component can be collected through the following measures:

  • Passive DNS Platforms: Use platforms that specialize in passive DNS collection and analysis:
  • Tools: Farsight DNSDB, RiskIQ PassiveTotal, PassiveDNS.
  • Threat Intelligence Feeds: Integrate passive DNS data from commercial or open-source threat intelligence providers.
  • Custom DNS Collectors: Deploy custom tools to capture DNS traffic at the network level for analysis.
  • Cloud DNS Services: Leverage cloud DNS services (e.g., AWS Route 53, Azure DNS) that maintain DNS query logs.
Domain ID Name Detects
Enterprise T1583 Acquire Infrastructure

Monitor for logged domain name system (DNS) data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Monitor logged domain name system (DNS) data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

Enterprise T1584 Compromise Infrastructure

Monitor for logged domain name system (DNS) data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Monitor for logged domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.002 DNS Server

Monitor for logged domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References