What is Passive DNS?

Farsight Passive DNS collects DNS response data received by caching, recursive DNS servers distributed around the global Internet. This data is aggregated and made available via the Farsight SIE platform where it is imported in an anonymized form into the Farsight DNSDB system.

Passive DNS uses observed cache miss traffic collected from above recursive resolvers to build a database detailing relationships between domain names, IP addresses, and name servers. That historical database can then be queried to obtain a report of:

  • - Domains that have been seen associated with a particular IP or IP range
  • - IPs that have been seen associated with a particular domain name
  • - Domain names that are known to be using a particular authoritative name server, etc.
  • - The date and time range associated with associations and changes

How does passive DNS data differ from WHOIS data?

WHOIS is an online distributed database that documents control over particular Internet resources such as domain names, blocks of IP addresses, and autonomous system numbers (ASNs).

WHOIS normally contains manually-maintained contact information, as well as information about the dates when resources were received or modified; plus additional details associated with resources (these details may vary depending on the type of resource or the specific WHOIS operator).

Passive DNS is a database that contains automatically collected information gleaned from DNS queries and responses, and consists of observed and imputed relationships between domain names, IP addresses, and name servers.

Passive DNS also captures other types of arbitrary data delivered via DNS, such as DKIM/DMARC records, SPF records, etc.

How much data is in the DNSDB?

The DNSDB database currently has over 100 billion unique DNS records. We currently see over 200,000 new raw observations/second totaling over 2TB of DNS data collected daily.

How far back does DNSDB data go? When did you begin collecting and saving data for DNSDB?

While DNSDB's data collection began in 2007, various improvements made over time. The currently utilized NMSG-based passive DNS architecture was put into production in 2010, and that is the earliest date you will see for passive DNS data.

Can I use DNSDB as a basis for making quantitative estimates about a domain's "popularity" or "importance?"

Because Farsight observes data above the recursive resolver, we only see cache miss traffic. The volume of cache miss traffic is largely based on a domain's popularity. Thus, you can get a rough sense of a domain's relative popularity.

Obviously www.google.com has been seen far more often than the other relatively-obscure or seemingly-randomly-named domain; however an analyst should avoid making hard quantified comparisons.

How much does DNSDB cost for a "typical" user?

Our pricing for DNSDB is quote-based; please contact our sales team at sales@farsightsecurity.com or +1-650-489-7919 for details.

If I operate a recursive resolver, can I contribute data to Farsight Security and receive a discount in exchange?

Discount levels are based on the value of the contributions. These are measured by volume and uniqueness of the data shared. In a few cases, partners who have shared substantial volumes of unique data (such as large ISPs) have been eligible for substantial discounts.

Is there a program to provide discounted or free access to DNSDB for academic researchers and independent, non-commercial researchers?

Farsight enthusiastically supports academic research and is happy to consider requests for discounted or free access to DNSDB. Farsight is pleased to support bona-fide “independent non-commercial researchers” working to better the Internet by offering deeply discounted or free access to DNSDB.

Because DNSDB has potentially security-sensitive information, all customers must be pre-approved for access. Farsight reserves the right to decline any potential customer or academic at its sole discretion.

What’s the difference between "recursive resolvers" and "authoritative name servers?

Recursive resolvers are used to resolve the domain names to IP addresses for sites they're interacting with - whatever and wherever those might be. For example, if you visit www.cnn.com, a recursive resolver will translate that domain name to the IP address your computer needs. ISPs, enterprises, colleges or universities, for the benefit of their local users, commonly run Recursive resolvers; although some recursive resolvers may be intentionally open such as Google's

Authoritative name servers are different. They are designated by the domain owner when the domain owner registers a new domain name, and are used to describe the relationship between domain names and the IP addresses used by that specific domain. Authoritative name servers may be run by the domain owner or by a third party such as a domain name registrar or hosting company. Authoritative name servers only know about and answer for the specific domain names assigned to them.

What's a "base domain?"

A "base domain" is what registrants purchase from a registrar when they buy a new domain name. For example, nytimes.com is a base domain name.

What's a "fully qualified domain name?"

A "fully qualified domain name" is any hostname that includes a base domain name. For example, www.cnn.com is a fully qualified domain name. “printer23” is an example of a local domain name that is not fully qualified.

What’s the difference between Newly Observed Domains (NOD) and Newly Observed Hostnames (NOH)?

If we consider the hypothetical name www.example.com:

  • - .com would be the top level domain (“TLD”) or “public suffix”
  • - example.com would be the domain, registered by a registrant directly above a TLD or public suffix
  • - www.example.com would be the hostname (or Fully Qualified Domain Name, “FQDN”) as might be used by a workstation, web server, mail server, networked printer, or other system.

Newly Observed Domains only lists newly seen domains, while Newly Observed Hostnames tracks the first use of individual hostnames on a hostname-by-hostname basis.

Traditional generic top level domains, or gTLDs, include com, net, org, edu, gov, and mil. That original set of gTLDs has now expanded over time to well over 1,000 different gTLDs.

Is there any way to obtain a complete copy of the DNSDB database for use "on premises" within a secure enclave that's not connected to the Internet?

DNSDB Export (an on-premises installation of DNSDB) provides total query privacy.

Is there a way to obtain a real-time access to the full stream of DNS data as it's added to DNSDB?

Farsight shares real-time data in raw form via the Security Information Exchange (SIE). Please contact sales@farsightsecurity.com or +1-650-489-7919 for further details.

Is it possible to watch for select terms of interest (keywords, brands, etc.)?

Yes, this is a perfect use case for our Brand Sentry solution. Please contact sales@farsightsecurity.com or +1-650-489-7919 for details.

What does "new" mean in Newly Observed Domains or Newly Observed Hostnames?

This is a domain or hostname seen in passive DNS that hasn't previously been seen by a Farsight sensor node since June 2010, and which hasn't already been seen in a zone file obtained under the Zone File Access programs.

How is NOD better than just lists of new domains from Zone File Access programs?

Zone files are static and typically provided for download via the Zone File Access program just once a day. This can result in a big visibility gap: you'll see some intensively-abused domains created, deployed, abused and then abandoned during the few short hours between the time they're created and the time the zone file that first mentions them becomes available. Zone files are simply too "batch oriented" for a real-time world.
By way of contrast:

  • - Newly Observed Domains lists new domains as soon as they are seen on the global Internet
  • - Newly Observed Domains includes domains from TLDs for which no zone file access program exists (such as many ccTLD zones)
  • - Newly Observed Domains also includes new domains created under "effective top level domains," as defined by the Public Suffix List.

If I license NOD primarily for spam protection, can I also use that data for other purposes, too?

Yes, provided your actions are consistent with the terms and conditions of your contract with Farsight. If you have specific questions about any contemplated use, please contact your account representative or sales@farsightsecurity.com

How much does NOD cost?

We base our pricing for NOD on quotes; please contact our sales team at sales@farsightsecurity.com or call +1-650-489-7919 for details.