Farsight Security Passive DNS project introduction


"Passive DNS" or "passive DNS replication" is a technique invented by Florian Weimer in 2004 to opportunistically reconstruct a partial view of the data available in the global Domain Name System into a central database where it can be indexed and queried.

Passive DNS databases are extremely useful for a variety of purposes. Malware and e-crime rely heavily on the DNS, and so-called "fast flux botnets" abuse the DNS with frequent updates and low TTLs. Passive DNS databases can answer questions that are difficult or impossible to answer with the standard DNS protocol, such as:
  • Where did this domain name point to in the past?
  • What domain names are hosted by a given nameserver?
  • What domain names point into a given IP network?
  • What subdomains exist below a certain domain name?
See also:


See the Passive DNS Architecture white paper for the full technical details.

The slide deck from the original August 2010 Passive DNS Hardening presentation also may be of interest. (Note that a few slides may be out of date.)

Sensor Installation

See the step by step guide to set up a passive DNS sensor for the Farsight Passive DNS project.


See the Privacy Considerations for ISC Passive DNS white paper for details about privacy and passive DNS replication.