Passive DNS

A sensor-fed database of historical DNS resolutions (also called pDNS) that records which names resolved to which IPs over time, used heavily in threat intelligence and incident response.

Passive DNS (pDNS) is built by deploying sensors at recursive resolvers that log every successful name-to-IP resolution they make, then aggregating the stream into a searchable database. Querying for an IP returns every domain ever seen pointing at it; querying for a domain returns every IP and nameserver it ever used. Threat hunters use it to pivot from one indicator to related infrastructure, spot fast-flux clusters, age-out indicators after malware migrates, and reconstruct historical state of phishing kits. Major providers include Farsight DNSDB, VirusTotal, SecurityTrails, and DomainTools. No personally identifying client data is captured, only the query name and answer.

Related terms

Fast Flux
DNS Sinkhole
WHOIS Privacy
DNSBL

Referenced on

DNS Tunneling Attack: How Data Is Smuggled Through Port 53
Reverse IP Domain Check
Subdomain Takeover: How Dangling DNS Records Let Attackers Hijack Your Domain

Back to the full glossary

Related terms

See also

Referenced on