Gain insight and increase internet safety: sharing cache miss data

What is cache miss data?

Cache miss data is created when a hostname is resolved by an external authoritative server, instead of a DNS resolver’s cache. For example, when you type in a website e.g. www.example.com, that hasn’t been recently searched, the DNS query generates data. This data is timestamped and provides a snapshot of what IP address the hostname, e.g. www.example.com is pointing to.

Why is cache miss data valuable?

Cache miss data provides a wealth of DNS intelligence for IT security teams, researchers, and brand protection specialists, to:

• Track current and historical IP addresses associated with suspicious domains.
• Research suspicious IP addresses or domains to assess the scale of their operations.
• Identify domains and organizations associated with IP blocks and nameservers used by specific hosting providers.
• Assess the risk of lookalike domains.
• Detect copyright and brand infringement by identifying spoofed domains.
• Search for subnets of domains, revealing previously unknown areas of a network.
• Streamline complex reverse engineering when dealing with malware.

The true value of cache miss data is accessed once it is aggregated. This means the more people that share, the larger the dataset, and the easier it is to identify behavior patterns and insights.

Who can share cache miss data?

Anyone can contribute! From large enterprises to smaller businesses, all data adds to the overall value. Organizations including Internet Service Providers (ISPs), hosting companies, and IT service providers already share their cache miss data with Spamhaus. Regardless of size, they all share a common goal: to improve trust and security on the Internet by sharing data.

What information is shared?

Each cache miss record contains just four pieces of information:

• Domain name
• Record type
• Record value
• and Timestamp

Within 60 seconds of receiving the data, we delete all other details including sensitive details like your server’s IP address. No other data, including personally identifiable information (PII) is shared, and you maintain complete control of the data configuration process.

How does Spamhaus process the data?

It starts with a simple one-off configuration step controlled by you. Once received, the data is promptly stored and anonymized within 60 seconds, and de-duped to retain only unique data. The resulting data is then added to Spamhaus’ Passive DNS database, where it becomes a valuable resource for threat intelligence and analysis.

Strengthening trust and safety

For over 26 years, Spamhaus has collaborated with trusted organizations to pool and maximize the value of cache miss data. By contributing, you become part of an active community, helping to strengthen threat analysis and improve network and brand protection. And as a bonus, you’ll also get free access to Spamhaus’ passive DNS database for your own research and threat mitigation! If you share our passion for improving Internet trust and safety, contact us today to learn how to start sharing your cache miss data.