Passive DNS
Purpose
Use passive DNS safely to understand domain and IP relationships over time.
Practitioner-Level Explanation
Passive DNS shows observed relationships between domains and IP addresses. It is useful for timeline building and infrastructure clustering, but it is not proof of malicious control.
The most important controls are time window, source coverage, shared hosting awareness, and corroboration with other features.
CTI Relevance
Passive DNS helps identify campaign infrastructure, historical exposure, and possible related indicators for hunt scoping.
Common Mistakes
- Ignoring first-seen and last-seen dates.
- Pivoting across shared infrastructure without corroboration.
- Assuming passive DNS coverage is complete.
- Using stale resolutions as current indicators.
Practical Workflow
- Start with domain or IP.
- Record first-seen and last-seen dates.
- Identify co-resolutions and hosting context.
- Check for shared hosting or CDN.
- Corroborate with certificates, paths, configs, or telemetry.
- Expire stale indicators.
Example / Mini Case
A domain resolved to an IP used by many unrelated sites. Passive DNS alone is weak. If the same domain also shares a certificate subject pattern and malware config value with another domain, the cluster becomes stronger.
Analyst Checklist
- Are dates recorded?
- Is hosting context known?
- Are pivots corroborated?
- Are indicators expired when stale?
Output Artifact
Domain / IP:
First Seen:
Last Seen:
Resolution Set:
Hosting Context:
Corroboration:
Accepted Pivots:
Rejected Pivots:
Confidence: