We are excited to announce that the Standard and Premium DNS Database files from DNS Database Download are now enriched with two new columns, namely, wildcard and active. These additions allow you to determine if a DNS record is part of a wildcard entry and check if a domain name or subdomain is active based on its most recent resolution status.

If the wildcard column says True, a query for a random FQDN has returned a DNS record. Therefore, the domain is expected to have a wildcard DNS configuration. On the other hand, a False value in the column means only defined subdomains resolve to specific DNS records. Queries for random FQDNs will not return corresponding DNS records. An empty wildcard column signifies the domain’s DNS records have not yet been checked.

With this new wildcard field, WhoisXML API users can now:

• Better filter out DNS data noise: A wildcard subdomain, or catch-all subdomain, can generate DNS entries for many non-existent subdomains. As such, the new wildcard field enables you to focus only on subdomains created by DNS record administrators. This feature leads to a cleaner and better-quality dataset that requires lower storage and processing requirements.

• Expand attack surface discovery: Wildcard subdomains can pose security risks, especially if unknown to security teams, and can be abused by attackers. Therefore, identifying them through DNS intelligence can help reduce your attack surface by avoiding their use or, if strictly necessary, limiting and closely monitoring them.

Meanwhile, the new active field helps users determine if a DNS record exists for the domain of interest. If the field says True, queries to the DNS server have returned a valid DNS record and the domain is considered active. However, if the queries returned an error saying no DNS records were retrieved, the domain is inactive and the field will be marked False. An empty active column means that the domain’s DNS records have not yet been checked.

The active field enables users to:

• Enhance cyber investigations: Analyzing the timestamps of a malicious domain’s recent or historical resolutions, along with whether these resolutions were successful or failed, can help investigators reconstruct a timeline of events relevant to a cyber incident. The data can further be used as forensic evidence.

• Identify botnets and DGA-created domains: Various DNS requests that do not lead to resolutions may indicate that DGA-based botnet activity is ongoing. Therefore, monitoring the number of failed DNS resolutions can help with endpoint protection.

• Detect malware distribution: Malicious domains often have fluctuating resolution statuses as they are rapidly weaponized and frequently taken down soon after. Tracking these changes can help identify an attacker’s tactics, techniques, and procedures (TTPs).

In summary, both wildcard and active data points can empower you to refine your DNS data analyses, identify potential security risks, and enhance your overall security posture. These new fields are also available as optional output parameters for several of our APIs such as Reverse IP API, Reverse DNS API, Reverse MX API, and Reverse NS API.

Download a sample of our Premium DNS Database files or contact us for a better overview of the new “wildcard” and “active” fields.