What Is Passive DNS As A Service?

In order to easily see a history of the existence of something in your network and how often it is expected to be there (Persistance Information) you need to record it. A simple way to do this is by collecting DNS resolutions as they happen. This process of collecting DNS resolutions as they happen is called Passive DNS.

Most often when people refer to Passive DNS or PDNS, they are referring to subscribing to a global feed. We believe it is important though to have the PDNS for your network available as a reference to give you that local persistance information.

Lets take a new domain for example. For someone on the security team, when they see an email submitted to their abuse mailbox, one of the most obvious clues to whether this is valid traffic or not is whether you have seen it before today. What is the persistence of this domain in our traffic before today? This can be obtained from Enterprise Passive DNS. A second clue is how persistant is this domain in global traffic, this can be obtained from a normal PDNS subscription for global sightings. A third clue is the registration history of the domain. Was it just regsitered yesterday? If it was , and we are seeing traffic today, that is also an unusual situation.

Passive DNS also provides history of the changes in DNS records. For example you can tell if an IP address for a domain is changing on a regular basis. You can tell if there are Name Server changes over time and draw your own conclusions as to whether these are suspicious or not.

Comments are closed.