Passive DNS
What is Passive DNS?
Passive DNSA historical database of observed DNS resolutions that lets investigators look up which IPs a domain pointed to and which domains shared an IP over time.
Passive DNS (pDNS) is built by sensors on recursive resolvers that record successful DNS responses without ever querying authoritative servers. Datasets from providers such as Farsight DNSDB, VirusTotal, and SecurityTrails let defenders pivot from a domain to historical IPs, sibling domains, name servers, and first-seen or last-seen timestamps. It is a core resource for threat hunting, malware infrastructure mapping, takedowns, and tracking domain-generation algorithms. Because pDNS only records what was actually queried somewhere, it complements WHOIS, certificate transparency, and active scanning, and it is non-intrusive to the operators of the observed domains.
● Examples
- 01
Pivoting from a suspicious C2 domain to other domains historically hosted on the same IP within DNSDB.
- 02
Confirming that a phishing domain first resolved 24 hours before the malicious email campaign began.
● Frequently asked questions
What is Passive DNS?
A historical database of observed DNS resolutions that lets investigators look up which IPs a domain pointed to and which domains shared an IP over time. It belongs to the Defense & Operations category of cybersecurity.
What does Passive DNS mean?
A historical database of observed DNS resolutions that lets investigators look up which IPs a domain pointed to and which domains shared an IP over time.
How does Passive DNS work?
Passive DNS (pDNS) is built by sensors on recursive resolvers that record successful DNS responses without ever querying authoritative servers. Datasets from providers such as Farsight DNSDB, VirusTotal, and SecurityTrails let defenders pivot from a domain to historical IPs, sibling domains, name servers, and first-seen or last-seen timestamps. It is a core resource for threat hunting, malware infrastructure mapping, takedowns, and tracking domain-generation algorithms. Because pDNS only records what was actually queried somewhere, it complements WHOIS, certificate transparency, and active scanning, and it is non-intrusive to the operators of the observed domains.
How do you defend against Passive DNS?
Defences for Passive DNS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Passive DNS?
Common alternative names include: pDNS, DNS observation data.
● Related terms
- defense-ops№ 1236
WHOIS Lookup
A query against the WHOIS or RDAP database that returns the registration details of a domain or IP, including registrar, registrant, dates, and name servers.
- defense-ops№ 159
Certificate Transparency
An ecosystem of append-only public logs of TLS certificates, defined by RFC 6962 and 9162, that lets anyone audit which certificates exist for any domain.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- attacks№ 348
Domain Generation Algorithm (DGA)
An algorithm used by malware to deterministically generate large numbers of candidate domain names so infected hosts can find their command-and-control server.
- defense-ops№ 266
Cyber Threat Intelligence (CTI)
Evidence-based knowledge about adversaries, their motivations, and methods, used to inform defensive decisions and prioritize controls.