Passive DNS

Spamhaus Passive DNS

Passive DNS is a technique where inter-server DNS messages are captured by sensors and forwarded to a collection point for analysis. After being processed, individual DNS records are stored in a database where they can be indexed and queried.

Spamhaus operates its own passive DNS sensor network, collecting this anonymized DNS query data from many thousands of recursive DNS servers around the world. As a result Spamhaus Technology is able to create passive DNS datasets, consisting out of domains, that are or have been directly associated with cybercrime.

We give security analysts a tool to connect the dots and uncover more malicious activity on their network faster and more accurately.

Passive DNS historical databases can be used to answer questions that are difficult or impossible to answer with other security tools including:

  • Where did this domain name point to in the past?
  • What domain names are hosted by a given nameserver?
  • What domain names point into a given IP network?
  • What subdomains exist below a certain domain name?

Passive DNS – Tool to Find the Badness

Help connect the dots between threat intel and network telemetry

As crime has moved online, cybercriminals have come to rely on DNS to build their malicious infrastructure. Domain names, IP addresses, name servers and other DNS assets repeatedly used – and reused – to commit crime.

By uncovering relationships among DNS assets (i.e. are the cybercriminals using the same IP address for different campaigns), investigators can gain new intelligence about the type of crime, the scope and breadth of the campaign, and even attribution.

Passive DNS Dataset Deployment Options:

  • Web portal - designed for information security professionals and cyber incident response teams who want to conduct digital forensics as well as security researchers who want to investigate what kind of activity is associated with particular IP ranges or analyze the relationships between DNS queries and responses.
  • API – for security vendors who would want to offer it as a service and integrate the raw datasets with their own software and security platforms.
  • On the wire – for security researchers and law enforcement agencies who need to continuously observe live recursive DNS traffic to help in the identification of new malicious domains, emerging threats and cybercriminal trends.

Benefits of Passive DNS Service:

  • Studying passive DNS data allows Spamhaus researchers to track and link domain names to particular name servers and IP networks. They can also identify where domain names used to point to and which subdomains exist below a certain domain name.
  • By exposing the links between name servers and domains, Passive DNS helps to identify new malicious domains as soon as they go live.
  • Spamhaus Passive DNS datafeed can be used as a real-time threat intelligence tool: helping to proactively protect users’ devices from connecting to malicious domains.
  • Connecting threat intelligence with telemetry to support detection and response: creates the context required to do proper investigations across data sources.


Ways to use Passive DNS:

Security Professional

Security Professionals can use Passive DNS to investigate domains or IP addresses that have raised suspicion, and find out if it is a single malicious IP or a complex multi-layered operation they are dealing with.

DNS: Malware Researcher

Passive DNS can ease the burden on Malware Researchers by reducing the need for complex reverse engineering when dealing with malware.

Penetration Tester

Passive DNS has the potential to assist various IT security roles, including Penetration Testers. Take a look at the highlights below to get a clear understanding of how Passive DNS can provide you with deeper insights into the security of the networks you are evaluating.

Brand Protection Specialist

Passive DNS adds value to multiple roles, including Brand Protection Specialists. You can utilise Passive DNS to highlight shadow domains, or typo squatting and identify who is masquerading as your company, brand or trademark and potentially hurting your customers and damaging your brand. Examples: Phishing domain -> easily find NS, related records, sites, etc
Brand Protection -> Search ‘Gucci’ - see all

Incident Response:

Unlock the power of DNS intelligence to accelerate incident research and post-breach analysis.

How To Use Passive DNS

Fuzzy Search

How to investigate host names associated with a Name Server or IP address

Security researchers uncover a world of badness

Using forward and reverse searches to uncover a bad IP