Passive DNS is one of those data sources that operates quietly behind several major branches of cybersecurity research and threat intelligence. It is also one of the most consistently undervalued tools in the OSINT and investigative toolbox. Where current DNS resolution tells you what a domain points to right now, passive DNS tells you everything that domain has ever pointed to in the recorded past, who else points to that IP, and the full historical graph of related infrastructure.
For tracking threat actors, mapping criminal infrastructure, attributing attacks, and reconstructing operational history, no other data source is quite as productive.
What passive DNS actually is
A passive DNS provider operates sensors that observe DNS query and response traffic on a substantial portion of the internet’s recursive resolvers. Each observation, "at this time, this resolver saw a query for example.com resolve to 1.2.3.4", is added to a database. Over time, the database accumulates billions of records describing the historical behaviour of the global DNS.
Sources of passive DNS data:
ISP recursive resolvers. Some ISPs anonymise and contribute their resolver logs.
Public resolvers. Cloudflare, Google, Quad9, OpenDNS in some configurations have visibility into a large share of global DNS queries.
Security vendors. Many EDR, antivirus, and DNS-security products record observed DNS activity from their telemetry footprint.
Honeypots and honeyclients. Sensor networks that probe domains and record observations.
Academic and research collections. Sustained collection efforts by researchers, often shared into the broader ecosystem.
The aggregate result: a record of the historical DNS behaviour of large portions of the internet’s domain space. The granularity varies, some providers have first-seen / last-seen timestamps and per-resolver counts; others have only aggregate observations, but the basic data is consistent.
What passive DNS lets you do
Several investigative use cases:
Reconstruct an attack timeline. A piece of malware uses a hardcoded domain. Passive DNS shows when that domain was first observed resolving, what IPs it has resolved to over time, and when it stopped. This reconstructs the attacker’s infrastructure timeline.
Pivot from indicator to broader campaign. Given a single malicious IP, passive DNS shows every domain that has ever resolved to it. Many of those domains are likely also malicious; you have just expanded your indicator list from one to dozens.
Find typo-squat and lookalike domains. The threat actor’s pattern of registering similar-looking domains around the same time, with similar hosting patterns, is visible in historical data.
Attribute infrastructure across time. Operators often reuse hosting infrastructure across campaigns; passive DNS reveals the connections.
Track infrastructure churn. As operators rotate hosting providers, change domains, or migrate to new platforms, passive DNS captures the trail.
Verify takedowns. After law enforcement seizes infrastructure, passive DNS shows when the domains stopped resolving and where they pointed in their final hours.
The major providers
Several services aggregate passive DNS at scale:
Farsight DNSDB (now part of DomainTools). Long-running, comprehensive. The most-cited reference in academic threat-intel literature. Available at domaintools.com/products/farsight-dnsdb. Commercial; substantial cost.
SecurityTrails (securitytrails.com). Commercial; comprehensive coverage; strong web interface.
Mnemonic Passive DNS (passivedns.mnemonic.no). Norwegian threat-intel firm; strong European coverage.
CIRCL Passive DNS (circl.lu/services/passive-dns/). Free passive DNS from Luxembourg’s Computer Incident Response Centre. Smaller dataset but accessible without commercial subscription.
VirusTotal’s passive DNS data. Available through their API; useful for correlating malware indicators with DNS history.
Microsoft Defender Threat Intelligence (formerly RiskIQ PassiveTotal). Commercial; integrates passive DNS with broader threat-intelligence telemetry.
Spamhaus Passive DNS. Specialised in spam and abuse-related infrastructure.
OpenINTEL. Academic project; daily snapshots of large parts of the global DNS, available for research use.
Each has different coverage, different data quality, and different access models. Serious investigative work usually queries multiple sources because no single provider has complete visibility.
A worked example
A typical investigation: a security analyst identifies a piece of malware that beacons to c2-update[.]example-host[.]top. The investigator wants to expand from this single indicator to broader campaign infrastructure.
Step 1: Query passive DNS for c2-update[.]example-host[.]top. The result shows the domain has resolved to three IP addresses over the past four months: 198.51.100.42, 198.51.100.97, and 203.0.113.155. Each appears for roughly six weeks before changing.
Step 2: Query passive DNS for each of those IPs. The first IP shows about two dozen domains that resolved to it during the same period. Some of them are unrelated (shared hosting); about a dozen follow the naming pattern of the original (variations of update, c2, panel, admin combined with similar-looking second-level domains).
Step 3: Query passive DNS for those dozen domains. Each yields additional IPs, which yield additional domains. The graph of connected infrastructure expands.
Step 4: Filter the graph for high-confidence relationships. Domains that share infrastructure within a single week, share naming patterns, share TLS certificate properties (cross-checked against Certificate Transparency), or share registrar/hosting pattern are likely campaign-related. Other domains on the same shared hosting are likely unrelated.
Step 5: The expanded list of indicators feeds back into other detection systems and intelligence reporting.
The investigation that started with one domain ends with a campaign-wide infrastructure map. Passive DNS is the central enabler.
Operational considerations
Several things to know:
Passive DNS coverage is partial. Not every DNS query is observed; not every observation makes it into the major providers’ datasets. Absence of data is not absence of activity.
Latency matters. Some passive DNS providers update in near-real-time; others have lag of days. For active investigations, real-time providers are preferred.
Selection bias. Passive DNS providers’ coverage is biased toward the resolvers and sensors they have access to. Coverage of certain regions, certain ISP populations, or certain types of traffic may be weaker.
False signals from shared hosting. Many domains share IPs because of shared hosting providers, CDN behaviour, or cloud platforms. Co-residence on an IP does not always mean operational relationship.
Privacy considerations. Passive DNS data is aggregated and largely anonymised, but it nonetheless reflects user behaviour. The major providers operate under privacy frameworks; researchers using the data should respect the underlying privacy considerations.
Legal context. Some passive DNS providers’ data is licensed for specific use cases. Commercial use of academic datasets, redistribution of commercial datasets, or scraping passive DNS data outside the provider’s terms can be problematic.
Combining with other techniques
Passive DNS is most powerful in combination with other recon data:
Certificate Transparency. CT logs show when TLS certificates were issued for a domain; passive DNS shows when the domain resolved. Combining gives a fuller infrastructure timeline.
WHOIS history. For domains where historical WHOIS is available, registration patterns combined with DNS resolution patterns produce strong attribution signals.
Network scanning data. Censys and Shodan capture what services were running on a host at scan time; passive DNS shows what domain names pointed there.
Threat intelligence feeds. When a passive DNS query reveals a previously-unknown IP, threat-intelligence cross-reference identifies whether the IP has appeared in other malicious contexts.
Malware analysis. Indicators extracted from malware samples become passive DNS queries. The expansion of indicators from a single sample to a campaign infrastructure typically goes through passive DNS as the connective tissue.
The 2026 state
Passive DNS as a discipline is mature. The major commercial providers have years of data, well-documented APIs, and integration with most threat-intel platforms. The open and academic offerings are growing.
The threat side has adapted. Some operators rotate domains aggressively, use single-use infrastructure, or use techniques designed to minimise passive DNS visibility (DNS-over-HTTPS to specific resolvers that do not contribute to passive DNS, for instance). The arms race continues but the value of passive DNS for the median investigation remains very high.
A useful framing: passive DNS is an observability tool for the internet’s address book. Most of what threat actors do leaves traces in the DNS. Most defensive organisations would benefit from being able to see those traces. Passive DNS makes that possible.
For OSINT practitioners, threat intelligence analysts, and incident responders, this is one of the highest-leverage data sources available. Knowing how to use it well is a multiplier for almost every other investigative skill.