Glossary
What Is Passive DNS (pDNS)?
Passive DNS is the historical record of every DNS resolution observed in the wild — capturing every hostname-to-IP mapping over time without ever issuing a query of its own. Where active DNS gives you the answer right now, passive DNS gives you every answer the system ever returned, with timestamps, so you can replay the past.
How Passive DNS Is Collected
Passive DNS sensors sit in front of recursive resolvers (or alongside them) and observe resolution traffic. Each observed answer — the question, the answer, and the timestamp — is recorded. After deduplication, the archive is the most complete public history of how the internet has resolved names over the last decade.
What Passive DNS Reveals
- Domain history — every IP a hostname has ever resolved to.
- IP history — every hostname that has ever resolved to a given IP.
- First-seen / last-seen — when a record entered or left circulation.
- Resolution patterns — fast flux, DGA waves, infrastructure migrations.
- Co-hosted domains — what shares an IP at any historical moment, not just now.
Why Active DNS Is Not Enough
A live DNS query tells you what a hostname resolves to this second. By the time an analyst looks, the attacker has often rotated to a new IP. Passive DNS preserves the trail: the IP an attacker used six weeks ago is still attached to the hostname in the historical record, even though the live answer changed long ago.
Privacy Considerations
Passive DNS is collected in aggregate at the resolver level — no client identifiers are recorded in any reputable feed. The data is the answer, not the asker. Most major DNS operators contribute under that constraint.
Passive DNS in Whisper
Whisper ingests passive DNS as one of its core substrates. Every hostname in the graph carries its full resolution history; pivots like "every IP this domain has ever pointed to" or "every domain ever co-hosted on this IP" are single Cypher queries.