How DNS Works (and Why It Matters for Brand Protection)
The Domain Name System (DNS) translates human-readable domain names (like example.com) into IP addresses that computers use to communicate. Every domain name has a set of DNS records that define how it operates — where it's hosted, where its email goes, and what services are associated with it.
For brand protection, DNS data is one of the earliest signals that a threat is emerging. A new domain registration that resembles your brand, a DNS change pointing a previously parked domain to a web server, or an MX record being added to enable phishing emails — these are all detectable through DNS monitoring before the attack reaches your customers.
Key DNS Record Types for Threat Detection
| Record Type | What It Contains | Brand Protection Relevance |
|---|---|---|
| A / AAAA | IPv4 / IPv6 address of the domain | Reveals hosting location; shared IPs can link related threat domains |
| MX | Mail server configuration | Indicates the domain can send/receive email (phishing risk) |
| NS | Authoritative nameservers | Identifies DNS provider; certain providers are associated with abuse |
| TXT | Arbitrary text (often SPF, DKIM, DMARC) | Presence of email authentication records signals intent to send email |
| CNAME | Alias to another domain | Can reveal domain infrastructure chains |
| SOA | Start of Authority metadata | Contains serial numbers and refresh intervals useful for change tracking |
DNS Data Sources
Zone File Access
ICANN's Centralized Zone Data Service (CZDS) provides access to zone files for most generic top-level domains (gTLDs). A zone file is a complete list of all registered domains within a TLD. By comparing daily zone file snapshots, monitoring systems can identify newly registered domains that resemble a protected brand.
CZDS access is available to qualifying organizations through an application process. Coverage includes over 1,200 gTLDs but does not include country-code TLDs (ccTLDs) like .uk, .de, or .fr, which are managed independently by their respective registries.
Importantly, many ccTLD registries do not publish full zone files or lists of registered domain names at all. Unlike trademark systems — where applications and registrations are publicly available through official journals — this means that comprehensive monitoring of domain registrations is not always possible in these namespaces.
To address this limitation, brand protection providers rely on a range of alternative discovery techniques, such as passive DNS data, and other signal-based approaches. These methods do not provide a complete list of registered domains but can surface a significant portion of active or newly used domains. In practice, these capabilities are often built on proprietary technologies, and coverage varies depending on the approach used.
Passive DNS Databases
Passive DNS systems collect DNS resolution data by observing actual DNS traffic at recursive resolvers or network sensors. Unlike active scanning (which queries DNS servers directly), passive DNS records what domains are being resolved in real-world traffic.
Passive DNS is particularly valuable for:
- Historical lookups — seeing what IP address a domain pointed to at a specific time
- Reverse lookups — finding all domains that have ever pointed to a given IP address
- Infrastructure mapping — identifying clusters of domains sharing hosting or nameserver infrastructure
Limitations of DNS Monitoring Alone
DNS monitoring is a foundational layer but is not sufficient on its own for comprehensive brand protection:
- ccTLD coverage gaps — Country-code TLD zone files are not available through CZDS and require separate arrangements with each registry
- Subdomain visibility — Subdomain-based attacks (e.g., yourbrand.malicious-site.com) don't create new zone file entries and require different detection methods
- Content analysis — DNS data reveals infrastructure, not content. A domain that looks suspicious at the DNS level may be legitimate, and vice versa. Content analysis is needed to confirm actual brand infringement.
- Speed vs. completeness — Zone files are typically updated daily, creating a lag between registration and detection.
Effective brand protection combines DNS monitoring with web content analysis, and threat intelligence enrichment to minimize both false positives and missed threats.