Search: DNS tab

The DNS tab displays DNS information related to your search. When the query contains an IP address or domain related expressions, this tab displays the passive DNS information derived from the terms. The information is collected from all analysis runs ever performed. In addition, the view also provides passive DNS information around the blocked domains and IP addresses reported on the Search: Network IoCs tab. This way you can quickly understand how the threat network infrastructure evolves over time and how it aligns with your own timeline. For example, the C&C infrastructure might already be offline by the time you were infected by the related trojan.

DNS timeline for Domain/IP query terms

The DNS timeline widget displays a visual representation of DNS intelligence information for domains and IPs related to the current search query. Click the help icon to view the help pop-up, which includes the graph legend. Click the compress or decompress icons to modify the detail displayed.

DNS information for blocked network IoCs list

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 35 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row displays a DNS entry. The list contains the following columns:

Domain/IP

The queried domain or IP address. If available, click the tag to see the reputation of the domain or IP address.

Click the sort icon to sort the list alphabetically by the domain or by IP address.

Result

The DNS results. For a given domain/IP, the associated results might span across multiple rows. If available, click the tag to see the reputation of the result. A geo-located flag may also appear in the results.

Click the sort icon to sort the list alphabetically by the result.

First seen

A timestamp for the first time this result was seen.

Click the sort icon to sort the list by the first seen.

Last seen

A timestamp for the last (most recent) time this result was seen.

The list is sorted by last seen, by default in decreasing order (latest at the top). Click the angle up icon to sort the list in increasing order (oldest at the top). Click the angle down icon to toggle to the default.

Query types

The types of DNS queries linking the domain/IP with the result. If a domain is associated to an IP address by a type A query, searching for the IP address will yield the domain with a reverse type A.

Click the sort icon to sort the list alphabetically by the query types.