Security Intelligence Services

Passive DNS

Enhance your understanding of an attack with historical resolution data

Give It a Test Drive

What is the Passive DNS data set?

DNS works like a contact application for the Internet. Instead of having to remember IP addresses for all the websites you wish to access, DNS makes them available using domain names, which are easier to remember and less likely to change.

Passive DNS (PDNS) is a system of record that stores DNS resolution data for a given domain or IP address. This historical resolution dataset allows analysts to view which domains resolved to an IP address and vice versa.

How Can it Help?

Passive DNS data can provide analysts insight into how a particular domain name or IP address changes over time and enable them to identify other related domains/IP addresses. When researching a suspicious or malicious event, PDNS data can provide context to an attack or additional malicious domains/IP addresses.

How to Use It:

  • Indicator of Compromise correlation
  • Historical resolution lookups
  • Time-based analysis
  • Fully qualified domain name lookups
  • SIEM event enrichment
  • Domain or IP enrichment to proactively hunt for threats

Additional Resources

Interested in enhancing and enriching your organization’s security operations and incident response activity even further? Then check out:

RiskIQ’s PassiveTotal API