Fully Qualified Domain Name (FQDN)

F
Written By Threat NG Staff

A Fully Qualified Domain Name (FQDN) is the complete and specific address of a device or resource on the Internet or a private network. It includes all the necessary components to unambiguously identify its location within the Domain Name System (DNS) hierarchy. Think of it as a detailed GPS address for an online resource.

Components of an FQDN

An FQDN is typically composed of three main parts, which are read from right to left in order of hierarchy:

  • Top-Level Domain (TLD): This is the last part of the FQDN, such as .com, .org, or .net. It indicates the purpose or country of the domain.

  • Second-Level Domain: This is the name you register, like google in google.com. It's the unique name that represents a company, organization, or individual.

  • Hostname: This is the specific name of a host or service within the domain, like www, mail, or ftp. It identifies a particular machine or service.

For example, in the FQDN mail.google.com, the TLD is .com, the second-level domain is google, and the hostname is mail.

Role in Cybersecurity

FQDNs are crucial for cybersecurity because they provide a verifiable and non-ambiguous way to identify network resources. This precision is essential for several security functions:

  • SSL/TLS Certificates: These certificates, which enable secure HTTPS connections, are issued to specific FQDNs. The certificate verifies that the user is connected to the intended server, not a malicious one.

  • Firewall and Security Rules: FQDNs allow network administrators to create granular security policies. Instead of manually listing multiple IP addresses that could change, they can set a rule to allow or deny traffic for a specific domain, making it easier to manage security controls.

  • Threat Intelligence and Detection: FQDNs are used in logs and security information and event management (SIEM) systems to uniquely identify network traffic and correlate events from different sources. This helps in detecting and blocking DNS-based attacks, such as domain spoofing, where attackers create a fake FQDN to redirect users to a malicious site.

  • DNS Security: Measures like DNSSEC (Domain Name System Security Extensions) use digital signatures to verify that an FQDN resolves to the correct IP address, protecting against DNS spoofing and cache poisoning attacks.

ThreatNG uses Fully Qualified Domain Names (FQDNs) to identify and assess an organization's external attack surface and digital risk from the perspective of an attacker. It conducts purely external, unauthenticated discovery and assessment, meaning it doesn't need to connect to the organization's internal network.

External Discovery and Assessment

ThreatNG's external discovery process identifies an organization's digital assets, including FQDNs, to create a comprehensive view of its external attack surface. The platform's investigation modules then use these FQDNs to perform detailed assessments.

  • DNS Intelligence: ThreatNG's DNS Intelligence capability analyzes domain records and uses domain name permutations, which are variations and manipulations of a domain name. This helps to uncover lookalike domains that could be used for phishing or brand impersonation attacks.

    • Example: For a company with the domain mycompany.com, ThreatNG's DNS Intelligence would automatically look for permutations like mycompany-pay.com (using targeted keywords for business/financial operations), mycompany-login.com (for user portals), or boycott-mycompany.com (using critical language). It also checks for different TLDs (Top-Level Domains), like .net or .biz, to see if a similar FQDN has been registered. This helps the company detect and address potential brand damage and phishing threats.

  • Subdomain Intelligence: The platform analyzes subdomains to identify potential security risks, including susceptibility to subdomain takeover. It checks for various factors, including HTTP responses, header analysis, and known vulnerabilities. ThreatNG can also identify the technologies running on subdomains, such as specific web servers, cloud hosting providers like AWS or Azure, or e-commerce platforms like Shopify.

    • Example: ThreatNG could discover the subdomain dev.mycompany.com and find that it has an empty HTTP response, indicating a potential misconfiguration. Or, it might find api.mycompany.com and discover that a specific vulnerability exists on the server hosting that FQDN, which could be used to gain unauthorized access.

  • Cyber Risk Exposure: The platform assesses cyber risk exposure by examining various parameters related to FQDNs. This includes checking for exposed certificates, subdomain headers, vulnerabilities, and sensitive ports. It also looks for compromised credentials on the dark web that could increase the risk of an attack on an FQDN.

    • Example: For shop.mycompany.comThreatNG might find that the SSL certificate has expired or that a sensitive port like Telnet is exposed, increasing the risk of a breach or ransomware attack. This analysis directly contributes to the organization's security rating.

Reporting and Continuous Monitoring

ThreatNG provides various reports, including executive, technical, and prioritized reports, to communicate risks associated with FQDNs. It gives an organization a security rating from A to F, which is substantiated by the platform's findings. The platform offers continuous monitoring of the external attack surface, digital risk, and security ratings for all organizations. This ensures that changes to FQDNs and their associated risks are tracked in real-time.

  • Example: An organization's security team can receive a prioritized report that highlights a high-risk FQDN, like admin.mycompany.com, because it's exposing an unpatched vulnerability. The continuous monitoring feature ensures that if the status of this FQDN changes (e.g., a new port is exposed), the security rating is immediately updated and an alert is generated.

Intelligence Repositories and Complementary Solutions

ThreatNG uses a set of continuously updated intelligence repositories, branded as DarCache, to inform its assessments of FQDNs. This intelligence is crucial for understanding the context and potential impact of FQDN-related risks.

  • DarCache Vulnerability: This repository provides a holistic approach to managing external risks by providing information on the exploitability, likelihood of exploitation, and potential impact of vulnerabilities. It includes data from NVD (National Vulnerability Database), EPSS (Exploit Prediction Scoring System), and KEV (Known Exploited Vulnerabilities). It also provides direct links to verified Proof-of-Concept (PoC) exploits.

  • DarCache Ransomware: This repository tracks over 70 ransomware gangs and their activities. ThreatNG's assessments use this intelligence to determine an organization's susceptibility to ransomware attacks, which can be linked to exposed FQDNs.

Complementary Solutions

ThreatNG's use of FQDNs can be a powerful complement to other cybersecurity tools, such as firewalls and security information and event management (SIEM) systems.

  • ThreatNG could identify a newly exposed FQDN with a known vulnerability and provide this intelligence to a firewall, which can then automatically block traffic to that specific FQDN until the vulnerability is patched.

  • ThreatNG's continuous monitoring of FQDNs could feed into a SIEM system. For example, if ThreatNG detects a new subdomain related to a third-party vendor, the SIEM could correlate this information with network logs to see if there's any unauthorized traffic to or from that FQDN, helping to identify a potential supply chain attack.

Threat NG Staff
Previous

Frictionless Security
Next

FTP