Passive DNS

Passive DNS (pDNS) is a database of historical DNS resolution data collected by sensors placed at resolvers, ISPs, or security infrastructure. Unlike active DNS queries — which return only the current state of a record — passive DNS captures a timestamped history of what IP addresses a domain resolved to (and vice versa) over time, without querying the domain directly.

Attackers frequently rotate infrastructure: a malicious domain may resolve to a different IP by the time an analyst investigates. Passive DNS preserves the history of these resolutions, enabling analysts to identify shared infrastructure across campaigns, pivot from a known malicious domain to other domains hosted on the same IP, and reconstruct attacker infrastructure even after it has changed. It is a core technique in threat hunting, malware analysis, and incident response.

Sensors at recursive resolvers log every DNS query-response pair they observe, stripping identifying information and recording the domain, resolved IP, record type, TTL, and timestamp. These records are aggregated into searchable databases. Analysts query pDNS databases by domain (to see historical IPs) or by IP (to see what domains have resolved to that address), pivoting across the dataset to map attacker infrastructure. Commercial providers such as SecurityTrails, Farsight DNSDB, and RiskIQ are primary sources.