Farsight's DNSDB Time Fencing: A Post-Attack "Time Machine"

This post explains DNSDB’s “time fencing” capabilities and how to use the dnsdbq CLI to limit DNS historical queries to specific time ranges (loose vs. complete/strict modes, absolute and relative times). It provides examples and a short case study where Fox-IT experienced unauthorized registry-level DNS changes that briefly pointed nameservers to attacker-controlled cloud names (a potential MitM), but Farsight’s DNSDB data showed limited exposure and the incident was rapidly remediated.