Definition
Passive DNS (PDNS) is a database of historical DNS resolution data. While standard DNS tells you "Where does this domain point now?", Passive DNS tells you "Where did this domain point last month, last year, or 5 years ago?"
Purpose and Core Idea
Attackers frequently change the IP addresses of their C2 servers (Fast Flux). PDNS allows analysts to "go back in time" to see these changes. It is constructed by sensors placed at ISP levels that passively record DNS responses (A records, CNAMEs, NS records) without interacting with the attacker.
The Pivot Workflow
- Forward Pivot: You have a malicious domain (
evil.com). PDNS shows it resolved to IP1.2.3.4last week. - Reverse Pivot: You search for IP
1.2.3.4in the PDNS database. You find that 50 other domains (attack1.com,attack2.com) also resolved to this IP. - Result: You have uncovered the attacker's entire campaign infrastructure from a single indicator.
Mini Case Study: SolarWinds (The Decoding)
During the SolarWinds investigation, PDNS was crucial.
- The Artifact: The malware used a Domain Generation Algorithm (DGA) to create subdomains like
7sbvaemscs0mc925tb99.avsvmcloud.com. - The Analysis: Researchers used PDNS records to find every single subdomain that had ever been resolved.
- The Breakthrough: By decoding these subdomains (which contained encoded victim names), they were able to identify which companies had been actively compromised.
Usage in Real CTI Workflows Top PDNS providers include Farsight Security (DNSDB), VirusTotal, and RiskIQ. Analysts use these tools daily to enrich OSINT findings.