Partner Spotlight: Expose Adversaries' Networks With Farsight Security | Recorded Future
Get Trending Threat Insights with Cyber Daily Subscribe Today

Partner Spotlight: Expose Adversaries’ Networks With Farsight Security

November 2, 2016 • Glenn Wong

Gain valuable insight into adversaries’ networks with Recorded Future and Farsight Security.

Editor’s Note

This is part of a series of blog posts on useful “all-source analysis” research and collaborative approaches using Recorded Future and our OMNI Intelligence Partners.


Farsight Security Passive DNS is an extension built into the Recorded Future Intelligence Cards™. It enables an analyst to easily retrieve and pivot on passive DNS (pDNS) records for hostnames and IP addresses during their investigation to gain actionable insights into adversarial networks and associated actors.


A single suspicious IP address or domain name is often the start of a cyber investigation. Yet cyber criminals often use and discard hundreds of domain names for a cyber attack to avoid detection; these indicators remain hidden or undetected. Security analysts and incident response teams don’t have the time or resources to investigate every threat indicator.

As a result, investigations remain incomplete and become the foundation for future attacks.

To efficiently perform investigations, security teams need to “turn back the clock” to view internet infrastructure as it was at a certain point in time. With this historic view, security teams can see how adversaries have “rolled” through related domains, IP addresses, and name servers to conceal their activity.

Phishing Concept


Every online transaction — good or bad — begins with a DNS lookup and leaves a trail of that activity. Passive DNS shines a light on this trail to provide invaluable, actionable intelligence for security analysts to expose bad actors, their associates, and the networks involved.

Farsight Security collects and processes more than 200,000 passive DNS observations per second. It has the world’s largest historical passive DNS database, with more than 13 billion domain names.

Recorded Future, combined with Farsight’s passive DNS intelligence, contains a wealth of insights about global threat actors, their methods, and associated technical indicators — organized in a single view on the following Intelligence Cards™.

Intelligence Card™ Extension
IP Address Available
Domain Available

IP Address Intelligence Card™

Farsight Security Extension

Intelligence Card™ for IP address with corresponding lookup response from Farsight Security.

With a click of a button on a single IP address or domain name, security analysts can use Farsight’s passive DNS to answer critical questions such as:

  • Given one domain as a starting point, what other domains share the same IP address?
  • Given one domain as a starting point, what other domains use the same name servers?
  • Show me all the IP addresses that used for the past week (or month, or three months, or year).
  • What are all the fully qualified domain names (hostnames) that are known to exist under a domain of interest?
  • Given the IP address range, what hosts are known to have used IP addresses from that range?
  • Show me domains that include the word ‘rolex?'” or “Show me domains that utilize versions of “rolex” such as “r0lex” or “ro1ex.”

These are very powerful capabilities, particularly if you’re working on cyber criminal enterprises that use a lot of different domains.

Security analysts and incident responders need access to real-time and historical passive DNS data to block their infrastructure from being used by bad actors. A historical view of passive DNS data also enables security teams to detect patterns of malicious activity and identify phishing, APT, or other targeted attacks.

According to Levi Gundert, Recorded Future’s Vice President of Intelligence and Strategy, “Farsight Security’s pDNS data is a critical component when combined with Recorded Future’s all-source intelligence, because comprehensive pDNS provides quick historical indicator insight for enhanced analysis in record time.”


A recent analysis by the Recorded Future team nicely demonstrated this integration as Farsight Security helped identify a new DarkComet RAT controller.

With a minimum number of clicks, security analysts can drill down on threat actors’ networks and expose information that is related to an investigation and expand their research to those IPs and domains to block potential future attacks.


Click here to request a demo to learn more about using Farsight Security with Recorded Future.


Click here to request an API key to explore passive DNS within Recorded Future.

Farsight Security

Founded by internet pioneer Dr. Paul Vixie, Farsight Security, Inc. provides the world’s largest real-time threat intelligence on changes to the internet. Leveraging proprietary technology with over 200,000 observations per second, Farsight provides the internet’s view of an organization and how it is changing purposely, inadvertently, or maliciously.

New call-to-action

Related Posts

Using Intelligence to Prioritize AWS Guard Duty Alerts

Using Intelligence to Prioritize AWS Guard Duty Alerts

March 10, 2021 • Meghan McGowan

Security operations teams are inundated with alerts and threats making it difficult for them to...

Announcing Security Intelligence for Splunk — For Free

Announcing Security Intelligence for Splunk — For Free

February 23, 2021 • Ellen Wilson

Today, we’re thrilled to announce the launch of a free 30-day trial of our integration for Splunk...

Special Delivery: Recorded Future Hunting Packages

Special Delivery: Recorded Future Hunting Packages

September 25, 2019 • The Recorded Future Team

Quickly detecting and preventing malicious activity is imperative to effectively protecting your...