Know Your Foe: Dynamic DNS in Research

If you happened to see “toythieves.com”, what would you think? Before spending any time performing analysis on the domain, you might want to consider that it could be a dynamic DNS provider. In fact, toythieves happens to be associated with a larger dynamic DNS provider, ChangeIP.com. Visiting their page reveals not one, but hundreds of higher-level domains you can choose from to pair with a random subdomain of your choice. The result, a free domain tied to your IP address with no set expiration time.

Dynamic DNS provides an alternative to the traditional process of managing DNS records for infrastructure that frequently changes IP addresses. Providers like ChangeIP aim to make it easy for inexperienced users to obtain a domain name at little to no cost in exchange for having to pick from a predefined list of higher-level domains like “toythieves.com”.

Over the past several years, threat actors have started to adopt dynamic DNS infrastructure as one of their primary means of command and control. Aside from being free, dynamic DNS allows actors to quickly stand up and take down infrastructure at little cost to them and with limited overhead as compared with registering a domain through traditional means. The bi-product of this process guarantees no WHOIS information is required, no useful time frame is easily observed and that the domain will always include a mix of unrelated infrastructure data.

Knowing that a domain is or is not associated with a dynamic DNS provider can help an analyst identify valid avenues of research and also reduce the time it takes to assess if a given infrastructure is malicious. The PassiveTotal platform has an extensive repository of known dynamic DNS providers (over 4,000 unique domain names) and is constantly updating its collection via our user base and automated methods.

In an effort to assist analysts with their research and infrastructure assessment, PassiveTotal automatically associates the tag “dynamic” with any domain that matches a known dynamic DNS provider. By tagging these domains, we hope to guide analysts research efforts, reduce false assumptions, and prevent analyst from actively pursuing potentially unrelated avenues of research.