TMCnet Feature
March 03, 2021

What Can You Do with the DNS History?

Pretty much everyone these days is aware that the Internet has its own phonebook, and it’s called the “Domain Name System (DNS).” It basically maps a website’s “phone number” or IP address to a name that’s easier to remember, that is, a domain name. Think of the domain name as a person’s name on a regular phonebook.

Unlike a phone number that is dedicated to a single user, though, most often than not, many users can share an IP address. That’s why passive DNS (pDNS) databases, which records the history of the DNS, are necessary. It tells users when a particular domain name was last accessed even if it shares an IP address with others. But what exactly does DNS history tell you?

What Is DNS History?

DNS history refers to the information users can get from a pDNS database. It basically says when a domain name was first seen and last updated. It may also contain other information, including:

  • Dates first seen and last updated
  • Social media profile links
  • IP addresses
  • Nameservers
  • Mail exchange (MX) servers

Apart from a DNS history database, users can also get the same or a partial set of pDNS data from DNS and reverse IP/DNS lookup tools. A DNS lookup tool provides the same information as a pDNS database. A reverse IP/DNS lookup tool, meanwhile, just lists all the domains that resolve to an IP address of interest within a given timeframe.

What Can You Use DNS History For?

Details pertaining to the history of the DNS are particularly useful for conducting threat investigations. We listed down a couple of ways below.

Identifying Domains That Could Be Connected to an Ongoing Malicious Campaign

About two weeks ago, the IP address of perl[.]com, Tom Christiansen’s Perl programming language update website, was modified to 35[.]186[.]238[.]101—a known malware download site.

Companies that don’t necessarily block access to shared IP addresses can still prevent malware infections by blocking access to related domains instead. That list is obtainable from a reverse IP/DNS lookup tool.

35[.]186[.]238[.]101, for instance, is shared by at least 300 domains (one or more of which could be responsible for the IP address being tagged malicious), such as:

  • 0--2[.]com
  • 01c9c7c8[.]tinybucks[.]net
  • 01z67[.]servingwithlove[.]com
  • 05b2sk[.]14919[.]j57lf[.]edu[.]cn[.]designlemon[.]com
  • 084244-5045[.]omb1[.]com

Securing against Unwanted Domains That Could Be Piggybacking on the Corporate IP Address

Big tech companies typically use dedicated IP addresses. One way of making sure they are not sharing these with malicious actors is by monitoring a pDNS database.

Google (News - Alert), for instance, can query its google[.]com IP address on a reverse IP/DNS lookup tool. It would get a list of 13 domains, all of which should be under its control since it uses a dedicated IP address. If that’s not the case, Google can investigate who owns the unwanted or unauthorized domain and take it out from its infrastructure, especially if it proves to be malicious.

Another important security protocol that protects against domain hijacking is ensuring that your DNS records are always up-to-date. Threat actors have an easier time taking control of forgotten or unused domains since these are usually insufficiently protected.

Companies can monitor DNS records and ensure their safety from threats aided by a DNS lookup tool. Google can check all 12 of google[.]com’s DNS records by querying a pDNS database via a DNS lookup tool. If any of them have been changed without the website administrator’s knowledge, that could indicate unwanted activity.


Looking at DNS history, as we’ve seen in this post, is an important cybersecurity consideration. With the help of a pDNS database and related solutions like reverse IP/DNS and DNS lookup tools, any organization can steer clear of and rid its network of suspicious or malicious domains and IP addresses.

» More TMCnet Feature Articles


» More TMCnet Feature Articles