Passivedns

Definition

Passive DNS (often written as **PassiveDNS** or **pDNS**) is a historical record of how domain names have resolved to IP addresses over time.

Normally, when you type a domain like `example.com` into your browser, DNS resolves it to an IP address in real time, and then that answer is gone. Passive DNS changes the game by **logging these DNS answers** as they happen across the internet. This creates a searchable history of:

* Which IPs a domain has pointed to
* Which domains have pointed to a specific IP
* When those changes occurred

Think of it like having a time machine for DNS — you can look back and see where a domain “lived” last week, last month, or last year, even if the DNS records have since changed.

In investigations, Passive DNS is a goldmine for:

* **Infrastructure pivoting** – If you find a malicious domain, you can find other domains that shared the same IP at the same time (often part of the same attacker infrastructure).
* **Attribution** – Linking domains across different campaigns if they’ve resolved to the same unusual IP.
* **Malware tracking** – Identifying the shifting domains a piece of malware uses for command and control.
* **Incident scoping** – Seeing if known-bad IPs ever hosted other suspicious domains that touched your network.

Example investigative flow:

```
Suspicious domain: bad-login-page.com
Passive DNS shows it resolved to 203.0.113.50 last week
203.0.113.50 also hosted evil-phish.biz and secure-paypal-login.net
→ Those domains appear in phishing logs targeting multiple victims
```

Real-world examples:

* The **Avalanche botnet takedown (2016)** used Passive DNS data to map out a massive network of rotating domains used for phishing and malware delivery.
* Ransomware analysts often pivot in Passive DNS from a phishing domain to dozens of other related domains used in the same campaign.

Further reading:

* Passive DNS Explainer – Farsight Security: [https://www.farsightsecurity.com/solutions/dnsdb/](https://www.farsightsecurity.com/solutions/dnsdb/)
* Practical Use Cases – RiskIQ: [https://www.riskiq.com/what-is-passive-dns/](https://www.riskiq.com/what-is-passive-dns/)
* Original Concept by Florian Weimer (2005): [https://www.first.org/resources/papers/conf2005/first05-weimer.pdf](https://www.first.org/resources/papers/conf2005/first05-weimer.pdf)
* MITRE ATT\&CK – DNS for Command and Control: [https://attack.mitre.org/techniques/T1071/004/](https://attack.mitre.org/techniques/T1071/004/)

Passive DNS data is logged by **monitoring DNS traffic at the recursive resolver or network level** and storing the answers returned from DNS lookups. Instead of focusing on a single user’s activity, it aggregates and anonymizes responses from many sources to build a **historical map** of domain-to-IP relationships.

Because it’s **passive**, this method doesn’t actively query domains itself (which might tip off attackers or return current but not historical data). Instead, it quietly collects what’s already flowing through the internet’s DNS system.

Real-world example: Services like **Farsight DNSDB**, **PassiveTotal**, and **RiskIQ** operate large passive DNS networks and make the data available for security teams to investigate threats.

Passivedns

Definition

Explore More Terms