Hacker News new | ask | show | jobs
by genmud 606 days ago
Neat! How is this different than domaintools/farsight [1]?

Passive DNS [2] has been in my toolbox for 15+ years, and is invaluable for security research / threat intelligence. Knowing historical resolutions to something are so helpful in investigations.

For anyone interested, they should check out the talk by one of the DomainTools people [3] on how it can be utilized for investigation.

Are you passively collecting this data, or actively querying for these records?

[1] - https://www.domaintools.com/products/threat-intelligence-fee...

[2] - https://www.circl.lu/services/passive-dns/

[3] - https://www.youtube.com/watch?v=oXmapqLkZd0
2 comments
lyu07282 605 days ago
is this making use of letsencrypt as well? afaik all letsencrypt signed certificates including all subdomains are immediately public, which could be useful for security research as well
link
Eikon 605 days ago
It's not about letsencrypt but certificate transparency which works the same for all public CAs.

I wrote a documentation piece here:

https://www.merklemap.com/documentation/how-it-works

link
whalesalad 605 days ago
At first glance it looks like this data is generated via the public certificate transparency log, so I would imagine the answer is yes.
link
Eikon 605 days ago
From what I understand [1] is just tlds, not subdomains?
link
genmud 605 days ago
That would be incorrect, they get subdomains for passive dns feeds.
link
Eikon 605 days ago
Ok, it'd be interesting to know how big is their datasets compared to mine and how much they overlap.
link