What is Passive DNS?

The need for web security has always been there, but in the last couple of years, this need has been reinforced thanks to increasingly targeted attacks against Domain Name Systems (DNS) infrastructure.

Reports of malware infiltrating name servers, caches being poisoned, authoritative name servers having to ward off DDoS attacks, and the modification of delegation details through compromised registrar accounts have all resulted in the development of new, advanced mechanisms capable of nipping these threats in the bud.

Some of these, like response policy zones, response rate limiting, and DNS security extensions have become an integral part of the web security measures of organizations. However, the one that holds most promise is passive DNS, which not only takes DNS security to the next level, but upholds Internet security in its entirety.

Domain name resolution through a DNS server
Source: Wikimedia

What is passive DNS?

The brainchild of Florian Weimer, Passive DNS came into existence in 2004. Its purpose was simple – deter malware attacks. Passive DNS used recursive name servers to log responses received from different name servers; this logged data was then copied to a central database.

The near-instantaneous capture of the majority of Passive DNS data “above” the recursive name server means that Passive DNS is comprised mainly of answers and referrals from online authoritative name servers. This kind of logged data is deduped, compressed, time-stamped, and then copied onto a central database where it is analyzed and archived.

However, you need to understand that the captured data is nothing more than cross-server communication; there are no queries between stub resolvers and recursive name servers.

This is noteworthy because of two major reasons. For starters, the amount of server-to-server talk here is significantly less than what goes on between recursive name server and stub resolvers. All you need to watch out for in this case is cache misses. Moreover, the server-to-server communication that takes place cannot just be connected to a specific stub resolver; thus, it does not pose much of an issue for privacy.

However, the method used for collecting Passive DNS data varies considerably. There are some admins who are in the habit of using external programs for reading passive DNS data from the name server, while other recursive name servers include software hooks that simplify the process of capturing passive DNS data.

People with other name servers are free to use a variety of tools on the host running recursive name server for monitoring traffic to the name server. Sometimes, they even mirror the port of the name server to a different host that records this data.

Why is passive DNS important?

There are a number of organizations running the databases to which the sensors of passive DNS upload this data. If someone queries passive DNS databases, they might stumble upon a hoard of valuable information.

For instance, passive DNS databases can be focused on to find out the zones that use similar sets of name servers or determine what information a particular DNS query returned. More importantly, you could take a supposedly malicious IP address and check out all the various domain names that the sensors of passive DNS mapped to that particular IP address lately.

Using passive DNS to your advantage


Detect compromises

You can use passive DNS databases for almost real-time detection of fraudulent delegation changes and cache poisoning. It is possible for a company to query the passive DNS database frequently. This will enable them to know more about the addresses being mapped by the major domain names at the time. All the information will come directly from the passive Data sensors. If they find any deviation from the regular mappings of data gathered from an authoritative source, it could indicate a breach of web security.

Helps administrators block the resolution of suspicious new domain names

The company can regularly gather the latest domain names to find out which ones were detected by sensors within the past hour or minutes. This is vital because brand-new domain names are often associated with malicious activity. It is not uncommon for new domains to be used for phishing campaigns briefly before being discarded. So, you cannot be too careful. Plus, if you happen to block a legitimate domain name in the process, the cost associated with it is small because they have appeared very recently.

Identification of potential infringement

When paired with fuzzy or Soundex matching, passive DNS databases can help organizations investigate databases occasionally for domain names that resemble or use their trade names without any authorization.

Prevent malicious activity

When an IP name server or address has already been marked as malicious, passive DNS can easily be used for identifying which zones are hosted by that name server, or which domain names map to that IP address.

Identify domain names

Passive DNS can effectively be used to identify domain names using techniques like fast flux to help malware and phishing websites avoid detection. It is not expected that legitimate domain names would change their addresses often, while the majority of legitimate zones rarely change name servers.

Threat intelligence

DNS log evidence supports findings incorporating threat intelligence. Maintaining these logs for a long period can help investigators locate initial evidence of compromise after a domain-generation algorithm or domain is labeled as suspicious or malicious.

Due to DNS activity being present in almost all communication, irrespective of the eventual protocol, the baselines that are established through DNS observations can prove universally helpful.

Final thoughts

Passive DNS data can turn the tide against the growing onslaught of web security. If your company still has not begun to collect passive DNS log evidence from the environment, you should start at once.

You will find plenty of options available at differing price points as well as deployment scales. However, if you have begun to collect DNS responses and queries, then it’s better to keep at it. Plus, you can share the information you uncover with other organizations that analyze passive DNS data for identifying any malicious domain names. After all, this is a fight of good versus evil.

Photo credit: Shutterstock

2 thoughts on “What is Passive DNS?”

  1. Hello Benjamin,

    Would you please suggest where in the network we place passive DNS? I mean would it be in the forwarding list of our internal DNS? Or It would placed between the core switch and Proxy/Firewall?

    Or would it be simply another additional DNS server to be pushed using DHCP to our clients? If this is the case then again we run into a situation where if someone mange to avoid our corporate/internal DNS then Passive DNS won’t be seeing this traffic right?

    Your feedback would be highly appreciated.


Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top