What is passive DNS?

Passive DNS collects historical DNS resolution data by observing resolver traffic rather than querying authoritatively. This guide explains how passive DNS data is gathered, what it records, and how investigators use it for infrastructure pivoting.

3 min read

What is passive DNS?#

Passive DNS (pDNS) is historical Domain Name System (DNS) resolution data collected by observing actual DNS traffic at recursive resolvers, rather than by actively querying authoritative name servers. Where a standard DNS lookup returns what a domain resolves to at query time, passive DNS shows what it resolved to over time and what other domains shared the same infrastructure. It is one of the most valuable data sources in threat intelligence.

How data is collected#

Passive DNS sensors are deployed at or near recursive resolvers, the DNS servers that handle lookups on behalf of end users and applications. The sensor observes queries and responses flowing through the resolver and records them in a database. Since the sensor is passive, it does not generate queries or modify responses.

Each record typically captures the query name (e.g., example.com), the record type (A, AAAA, CNAME, MX, NS, etc.), the response data (e.g., 93.184.216.34), and timestamps indicating when the resolution was first and last seen. Some implementations also record the TTL and the count of observations. For a primer on the record types captured, see DNS records explained.

Organizations that operate passive DNS databases include commercial threat intelligence providers, academic research projects, and internet infrastructure operators. Coverage varies depending on how many and which resolvers contribute data.

Use cases in investigations#

Passive DNS enables infrastructure pivoting, the ability to move between related indicators.

IP to historical domains. Given a suspicious IP address, passive DNS reveals every domain that has resolved to it. This surfaces related domains operated by the same actor that may not appear in any registration feed.

Domain to historical IPs. Given a domain, passive DNS shows which IPs it pointed to over time. A domain that recently moved from a legitimate hosting provider to a known-bad IP range is a meaningful signal.

Tracking infrastructure changes. Monitoring DNS resolution for a set of suspicious domains over time reveals when attackers move to new hosting, add or remove subdomains, or rotate infrastructure. This is particularly valuable for phishing domain detection, where attackers frequently shift infrastructure to evade blocklists.

Staleness and TTL considerations#

Passive DNS records reflect what was observed at a point in time, not current state. High-TTL records (e.g., 86400 seconds) may appear in passive DNS long after the authoritative answer has changed. Conversely, low-TTL domains that change frequently may have many records but with short observation windows. Analysts should cross-reference passive DNS findings with active DNS resolution to confirm current state.

Contrast with active DNS#

Active DNS means directly querying a domain's authoritative name servers to get the current answer. It provides fresh data but no history and generates observable queries that sophisticated attackers may detect. Passive DNS provides history without generating queries against the target, making it complementary to active resolution.

Privacy and legal considerations#

Because passive DNS data is derived from real user queries, it raises privacy questions. Most passive DNS providers aggregate and anonymize data, recording only the resolution tuple (query, response, timestamps) without identifying which users or clients made the queries. Organizations deploying their own sensors must comply with applicable data protection regulations.

Integrating passive DNS into domain monitoring#

Passive DNS is most effective when integrated into broader domain monitoring workflows. By combining pDNS with registration data, certificate transparency, and content analysis, analysts can pivot from a single suspicious domain or IP to an entire infrastructure cluster, track attacker movements over time, and enrich domain investigations with historical context that registration data and active DNS alone cannot provide.

More from Threat intelligence

View all

Domain threat intelligence

Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.

Malicious domain detection

Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.

What is certificate transparency?

Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.

Put what you learn into practice

Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.

Start free trialExplore features