Passive DNS, short for “passive Domain Name System,” is a way for DNS servers to archive domain name-to-IP address resolutions as a security measure. In the process, all of the IP addresses that a domain name resolved to at some point are stored in a passive DNS server. So, if you want to retrieve IP addresses connected to a malicious domain, you can do so.

Think of it as a database where all of a person’s contact details throughout time are recorded. You can thus track where that individual lived if, say, you need to interrogate potential witnesses if he or she has been charged with committing a crime.

Other interesting terms…

Read More about “Passive DNS

It will be much easier for threat actors to commit a crime and then disappear without passive DNS. Why? Because you will have no record of their past activities. You can’t track their so-called “digital footprints,” which give you an idea about all the past nefarious activities they may have been involved with. If you’re trying to prove they’re repeat offenders, therefore, it may not be possible.

Where Do You Get Passive DNS Data?

All DNS servers keep records of queries made to them. Each time you type a domain name into your browser and your computer takes you to the website you wish to access, the domain name-to-IP address translation that DNS servers do gets recorded in a passive DNS database.

For you, that speeds up the process of revisiting that site. For security analysts and researchers, that provides a way to track the history of a domain name that they’re investigating.

Who Can Benefit from Passive DNS Data?

At least four types of professionals can use passive DNS data. We described how in greater detail below.

Penetration Testers

Penetration testers can search for all DNS records related to a client’s domain they’re investigating. Those records can tell them what kind of systems use that domain, allowing them to identify what testing tools to use.

They can also check if the domain’s past and current IP resolutions have vulnerabilities that threat actors can exploit.

Brand Protection Agents

Brand protection specialists can search for all domain names that contain their company name or any of their trademarks and then determine which of the domain names and their corresponding IP addresses are malicious.

They can also check if malicious domains resolve to their shared IP addresses.

Security Professionals

Security professionals include security teams and law enforcement agents. For example, they can use passive DNS data to identify other domains connected to a threat given a malicious domain or an IP address indicator of compromise (IoC).

They can, for instance, find out that the malicious IP address 207[.]148[.]248[.]143 is connected to the domain billingnow[.]com. So, if any of their fellow employees access the domain name, chances are their computers will get infected by a fake antivirus.

Passive DNS data can also let them discover threat actor infrastructures, uncovering all domains and IP addresses in their arsenals that are currently not tagged “malicious” because they have yet to be activated. As a prevention measure, they can block access going to and coming from these suspicious properties (because they share an IP host with a malicious domain, for instance) even before they can cause damage.

Finally, they can use the data to identify all of their company’s web properties and scrutinize their records for signs of tampering. Threat actors may have compromised an insufficiently secured domain name, for instance, by redirecting it to a malicious IP address through DNS hijacking.

How Can You Obtain Passive DNS Data?

One way to get passive DNS data is to use a passive DNS database, which keeps all domain name-to-IP address resolutions over time on record. You can obtain information in three ways so long as you have an account with the provider.

You can download a copy of the entire passive DNS database. Or you can enter an IP address as a search term into a passive DNS web service such as this:

obtaining passive DNS data

Or you can query the IP address on an application programming interface (API) to get results like this:

passive DNS lookup

As you now know, passive DNS data is beneficial for people whose job is to ensure that their company stays protected from digital threats.