Simply put, passive DNS is a system of record that stores DNS resolution data for a given location, record and time period. To best understand passive DNS, one must first understand how DNS works and the value it brings to Internet users. A good way to think about DNS is to look at the contacts application on your mobile phone. Rather than remember your friends cell phone number, you can simply assign it to a contact name and use that to place any calls. DNS works like a contact application for the Internet. Instead of having to remember IP addresses for all the websites you wish to access, DNS makes them available using domain names which are arguably easier to remember and less likely to change.
As an example, lets take passivetotal.org. At the time of writing this page, if we query passivetotal.org, we will be returned back the IP address of 22.214.171.124. In DNS, this is known as an "A" record and is one of many different record types including, but not limited to AAAA (IPv6), MX (mail), NS (nameserver), and TXT (text). Each record type is used for a different purpose and in theory, could be stored within a passive DNS database.
In order to collect this DNS information, a sensor is typically installed on the local network and setup to recieve DNS requests as they happen. It's worth noting that the sensor will only record DNS traffic that occurs on the local network, and not for the entire Internet. However, programs like RiskIQ's DNSIQ™ allow organizations to install a sensor on their network that reports back to RiskIQ and in exchange, the organization gains access to all the passive DNS traffic inside the central repository.
So why do we need a database of this data? Doesn't DNS keep track of changes? Yes and no. DNS records can and will change often, but there's no centralized historical repository. In fact, once a change has been made to a DNS record, it will propograte across the Internet and the previous record will be gone forever. Imagine you get a breach notification for your network. Listed in the notifcation is a domain name and time period. The first logical question may be to ask what IP address that domain was pointing to at the time of the breach and if any other domains were pointing there too. Without a historical repository, how would you answer that question? Answer, you couldn't.
Keeping this data inside of a database gives analysts insight as to how a particular domain names changes over time and provides a way to identify other related domains/IP addresses. Going back to the breach notification example, an analyst could take the domain, search for it within passive DNS and identify the history of IP addresses it resolved to over time. Those IP addresses could then be queried as well to find more domains that may be related to the larger attack.
PDNS Data Sources
PassiveTotal has partnered with multiple organizations to bring our user base the most comprehensive access to historical resolution information. The API Associations allow our users to pull in additional pDNS sources and provide for a globally diverse set of data and flexibility. Some of our sources are available to all users, while other require credentials. The below list provides detailed information about each of our sources:
DNSIQ™ - RiskIQ's DNSIQ™ services provide access to a pDNS repository which takes in 400 million unique records per day. To provide DNSIQ™, RiskIQ ingests records from a geographically dispersed sensor and partner network, providing our community and customers with one of the most comprehensive passive DNS data sources.
DNSRes - PassiveTotal's DNS Collection source.
Pingly - PassiveTotal's active resolver (Can be turned off)
Partner Data Sources
Kaspersky - pDNS data from their malware environment and active collection operations.
Mnemonic - Managed Security Service from Norway that provides an open source pDNS repository for the analyst community.
AlienVault - Passive DNS data partner. PT community users can activate this source to receive access to their pDNS data.
VirusTotal - Passive DNS provider based on malware execution and individuals searches in their UI.
360CN - Chinese AV company Qihoo 360. Requires user id and password from Qihoo to use this source.
Circl.lu - Computer Incident Response Center Luxembourg is a government driven incident response center which offers a passive DNS repository to the analysts community. Credentials are required to access this data set and can be requested via email at email@example.com
These providers offer paid access to Passive DNS and WHOIS information based on query volume. These services require credentials and a contract with the respective service provider
Farsight Security - Passive DNS provider
OpenDNS - Passive DNS Provider which allows customers to access their pDNS information alongside our additional data sources.