Deteque is delighted to announce the latest release of our Passive DNS service.  This is a simple to use, effective and fast investigation tool, available via a web browser or API.  With all the expected features of Passive DNS, including ‘Forward’ & ‘Reverse’ searches, we also have unique features including ‘Fuzzy’ search and International Domain Name (IDN) support.  Want to find out more?…

Who should consider using Passive DNS?

Security Professionals, Malware Researchers, Brand Protection Specialists, Penetration Testers, among others.

Why use Passive DNS?

Deteque’s Passive DNS speeds up cyber research and investigations, providing you with increased visibility across the internet. By simply entering a single domain name or IP address, in addition to specific search parameters, you can quickly pivot to new areas of potential ‘badness,’ viewing real-time & historic Passive DNS data. 

Watch out for our’ How to Use’ videos over the coming weeks to get a deeper understanding of how you can utilize this tool.

Features of Deteque’s Passive DNS

As with most Passive DNS tools, it is possible to run the following basic searches:

Forward search – on rrname queries (e.g.,

Reverse search – on rrdata queries (e.g., 123.456.7.89) 

There are also a multitude of filters you can utilize to fine tune your search.  In addition to the basic date and ‘Record Type’ filters, e.g., ‘A’ or ‘CNAME,’ we have several filters that are unique to Deteque:  Word Search, Left Match, Fuzzy Search & IDN Support. Here’s a brief overview of some of the filters you can apply when running a query:

Deteque's Passive DNS User Interface for a forward searchExact match – Search for an exact match in the database of your requested query.

Right match – Perform a “right match” searching for the records which have the requested string on the rightmost side. (example: *

Left Match – Perform a “left match” searching for the records which have the requested string on the leftmost side. (example:*)

Word Match – Search for a single string in the target field

Last & First Seen Date – the dates you want the query to return results to and from. 

Fuzzy search – Search for domains where one or multiple characters have been altered:  Select the number of characters you want to be different from the original domain to reveal a host of spoofed domains.

IDN:  Search for internationalized domain names once their “confusable” characters have been replaced with their normalized homoglyphs. e.g. “” is shown as “apþ“.  For more information on this new function, click here.

Where does the data come from?

Deteque leverages Passive DNS data from Spamhaus, who have been providing threat intelligence to the industry for over 20 years.  Spamhaus collect the data from trusted third parties across the globe.  For a more in-depth look at Passive DNS data, click here.

How much does it cost?

If you have low usage requirements or are wanting to trial the product, you can get 200 queries per month for free (no credit card details requested).  Should you require a more substantial plan, we won’t tie you into a contract; instead, we give you the flexibility to change your plan monthly to meet your ever-changing business requirements.  Details of the plans are outlined here.



Click here to find out more, or register for your free 30-day plan here.

Passive DNS can ease the burden on Malware Researchers by reducing the need for complex reverse engineering when dealing with malware.

  • Once you have an IP address for a Botnet Command & Control (Botnet C&C) Server Passive DNS enables you to drill down and analyse the host names served by the same IP address and extend your searches, for example, to the authoritative name servers for the domain.







Security Professionals can use Passive DNS to investigate domains or IP addresses that have raised suspicion, and find out if it is a single malicious IP or a complex multi-layered operation they are dealing with.

  • Looking glass in a circle leading to coloured networks with text " Passive DNS: Security Professionals"Investigate domains that are within the same subnet of a particular IP address – some (or most) of these may display similar behaviours as the one that has caused you concern.
  • Abusers recycle their resources e.g. the same web server may host several phishing domains, not just one.  With Passive DNS you can acquire the information before, or as soon as they change their domain or IP address.
  • If you are dealing with a more complex operation, the abuser may have the full /24 subnet under his control and Passive DNS can potentially provide additional, deeper insights e.g. all the domains that are pointing to an IP address in the subnet.
  • Passive DNS searches will also permit you to find invalid or unauthorised records in the zones you control, caused by unauthorised access or by cache poisoning/spoofing (where corrupt DNS data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect result).


USING PASSIVE DNS: Malware Researcher



Passive DNS adds value to multiple roles, including Brand Protection Specialists. You can utilise Passive DNS to highlight shadow domains, or typo squatting and identify who is masquerading as your company, brand or trademark and potentially hurting your customers and damaging your brand.

  • Key in circle leading to coloured networksSearch the Passive DNS database for domain names that contain the whole name of your company, or a specific key word.
  • Pinpoint malicious domains and easily view their IP address.
  • Search this IP address to uncover any further domains this address that may have been connected with historically.
  • For additional intelligence subscribe to our real-time zero reputation domain zone (ZRD), and view all domains which have been registered within the past 24 hours (which have a higher likelihood of being used for fraud).


Using Passive DNS: Security Professional

Passive DNS has the potential to assist various IT security roles, including Penetration Testers.  Take a look at the highlights below to get a clear understanding of how Passive DNS can provide you with deeper insights into the security of the networks you are evaluating.

Search for all the DNS records relating to the subnets of the domain you are investigating, to highlight what different functions the servers are being used for.  Things to look out for:

  • A host named “” suggests a high likelihood that this is the firewall, allowing you to select the relevant testing tools you should be using on this type of domain.
  • A host named “” is likely to be a domain where development is run from, and could yield some interesting penetration results.
  • Look for any IP addresses running live versions of outdated software – this has the potential to increase the attack surface.

Using the information gathered in the above steps, you may uncover subnets which exist as part of the infrastructure, which you weren’t aware of, but are of interest to you. Use Passive DNS to drill down into the newly discovered networks.


Using Passive DNS: Brand Protection Specialist


Passive DNS has been an industry standard tool for more than a decade, but given the conversations we are having with various customers, IT teams & security teams, it’s apparent that there is some uncertainty as to what Passive DNS is, and also how it can help businesses protect both their networks and brand.

What is Passive DNS?

Until the introduction of Passive DNS there was no way to retrieve the content of any DNS zone owned by other people as system administrators were not keen to share them. Also, once a change was made to a DNS record the previous details were gone forever as the new version immediately propagated across the internet…. Not very helpful if you need to research all the domain names a suspect IP address has resolved to historically, and vice versa.

Where does Passive DNS data come from? 

computer, DNS root server DNS resolver and DNS root domain with arrows

How Passive DNS data is captured

When a client queries a local DNS resolver and the answer is not included in the server’s cache, then the DNS resolver will query an external root server, followed by the top-level domain (TLD) server and the authoritative name server itself to get access to the requested information (see diagram ).

With special probes activated on the DNS resolver,  it is possible to record the packets containing the answers to the client, along with the time & date stamp of when the query was made.  

Passive DNS does not store which client (or person) made a query, just the fact that at some point in time, a domain has been associated with a specific DNS record . This ensures that privacy is maintained throughout the system.

Deteque utilises Passive DNS data from Spamhaus, which is collected across the internet globally, from trusted third parties including hosting companies, enterprises, business & ISPs.

With the constant increase in the number of TLDs, there are currently more than 1,000, there is a huge amount of data to record. Deteque’s Passive DNS cluster handles more than 200 million DNS records per hour and stores hundreds of billions of record per month, allowing you to search this vast database easily.

How can this help your IT security?

Passive DNS data provides a wealth of information for IT security teams, research teams and brand protection specialists.  Research analysts gain insight as to how a particular domain name changes over time and how it is related to other domains and/or IP addresses. This data enables you to build a picture of potential threats across global networks that simply cannot be identified from monitoring your own network.

Brand protection specialists can identify spoofed domains/websites, noting when they have been active and how they are associated with other domains.  

Discover the value this tool can bring to multiple roles:

Passive DNS is an extremely clever and simple to use tool that’s a great addition to your security arsenal.


Learn about Deteque’s Passive DNS Tool