Farsight Passive DNS collects DNS response data received by caching, recursive DNS servers distributed around the global Internet. This data is aggregated and made available via the Farsight SIE platform where it is imported in an anonymized form into the Farsight DNSDB system.
Passive DNS uses observed cache miss traffic collected from above recursive resolvers to build a database detailing relationships between domain names, IP addresses, and name servers. That historical database can then be queried to obtain a report of:
WHOIS is an online distributed database that documents control over particular Internet resources such as domain names, blocks of IP addresses, and autonomous system numbers (ASNs).
WHOIS normally contains manually-maintained contact information, as well as information about the dates when resources were received or modified; plus additional details associated with resources (these details may vary depending on the type of resource or the specific WHOIS operator).
Passive DNS is a database that contains automatically collected information gleaned from DNS queries and responses, and consists of observed and imputed relationships between domain names, IP addresses, and name servers.
Passive DNS also captures other types of arbitrary data delivered via DNS, such as DKIM/DMARC records, SPF records, etc.
The DNSDB database currently has over 13 billion unique RRsets. We currently see over 200,000 new raw observations/second totaling over 5TB of DNS data collected daily.
While DNSDB's data collection began in 2007, various improvements made over time. The currently utilized NMSG-based passive DNS architecture was put into production in 2010, and that is the earliest date you will see for passive DNS data.
Because Farsight observes data above the recursive resolver, we only see cache miss traffic. The volume of cache miss traffic is largely based on a domain's popularity. Thus, you can get a rough sense of a domain's relative popularity.
Obviously www.google.com has been seen far more often than the other relatively-obscure or seemingly-randomly-named domain; however an analyst should avoid making hard quantified comparisons.
Our pricing for DNSDB is quote-based; please contact our sales team at email@example.com or +1-650-489-7919 for details.
Discount levels are based on the value of the contributions. These are measured by volume and uniqueness of the data shared. In a few cases, partners who have shared substantial volumes of unique data (such as large ISPs) have been eligible for substantial discounts.
Farsight enthusiastically supports academic research, and is happy to consider requests for discounted or free access to DNSDB and is pleased to support bona-fide "do-gooders" working to better the Internet by offering deeply discounted or free access to DNSDB.
Because DNSDB has potentially security-sensitive information, all customers must be pre-approved for access. Farsight reserves the right to decline any potential customer or academic at its sole discretion.
Recursive resolvers are used to resolve the domain names to IP addresses for sites they're interacting with - whatever and wherever those might be. For example, if you visit www.cnn.com, a recursive resolver will translate that domain name to the IP address your computer needs. ISPs, enterprises, colleges or universities, for the benefit of their local users, commonly run Recursive resolvers; although some recursive resolvers may be intentionally open such as Google's 22.214.171.124
Authoritative name servers are different. They are designated by the domain owner when the domain owner registers a new domain name, and are used to describe the relationship between domain names and the IP addresses used by that specific domain. Authoritative name servers may be run by the domain owner or by a third party such as a domain name registrar or hosting company. Authoritative name servers only know about and answer for the specific domain names assigned to them.
A "base domain" is what registrants purchase from a registrar when they buy a new domain name. For example, nytimes.com is a base domain name.
A "fully qualified domain name" is any hostname that includes a base domain name. For example, www.cnn.com is a fully qualified domain name. “printer23” is an example of a local domain name that is not fully qualified.
If we consider the hypothetical name www.example.com:
Newly Observed Domains only lists newly seen domains, while Newly Observed Hostnames tracks the first use of individual hostnames on a hostname-by-hostname basis.
Traditional generic top level domains, or gTLDs, include com, net, org, edu, gov, and mil. That original set of gTLDs has now expanded over time to well over 1,000 different gTLDs.
DNSDB Export (an on-premises installation of DNSDB) provides total query privacy.
Farsight shares real-time data in raw form via the Security Information Exchange (SIE). Please contact firstname.lastname@example.org or +1-650-489-7919 for further details.
Yes, this is a perfect use case for our Brand Sentry solution. Please contact email@example.com or +1-650-489-7919 for details.
This is a domain or hostname seen in passive DNS that hasn't previously been seen by a Farsight sensor node since June 2010, and which hasn't already been seen in a zone file obtained under the Zone File Access programs.
Zone files are static and typically provided for download via the Zone File Access program just once a day. This can result in a big visibility gap: you'll see some intensively-abused domains created, deployed, abused and then abandoned during the few short hours between the time they're created and the time the zone file that first mentions them becomes available. Zone files are simply too "batch oriented" for a real-time world.
By way of contrast:
Yes, provided your actions are consistent with the terms and conditions of your contract with Farsight. If you have specific questions about any contemplated use, please contact your account representative or firstname.lastname@example.org
We base our pricing for NOD on quotes; please contact our sales team at email@example.com or call +1-650-489-7919 for details.