The Passive DNS endpoint (
/pdns/) provides historical data from our resolvers for domains, IPs, and other resource records.
The passive DNS API endpoint is intended to replace the Timeline and Classifiers endpoints. To read about Timeline and Classifiers, see this documentation.
Our passive DNS and security categorization data gives you useful information for threat research. Unlike querying live records, you avoid alerting bad actors to your investigation. To learn more, see Passive DNS.
The Passive DNS API endpoint includes the following endpoints:
- Domains—Returns the Resource Record (RR) data for DNS responses, and categorization data, where the answer (or rdata) is the domain(s).
- Names—Returns data from DNS queries that our resolvers received, and categorization data.
- IP Addresses—Returns the Resource Record (RR) data for DNS responses, and categorization data, where the answer (or data) is the IP address.
- Timeline—Returns a snapshot of passive DNS and categorization history for a queried domain name.
- Raw—Returns passive DNS and categorization data for a queried resource record. The query is interpreted as a domain name, IP address, or text. If the query type is not recognized, raw/unnormalized DNS responses are returned.
/pdns/raw/is also available for querying based on hex encoded values.
The passive DNS endpoint returns the dates of any changes for a resource, and what the changes were. You can query the categorization history of a resource for up to the past four years.
For example, we may block a site for hosting malicious content. The owner may then patch the site and remove the offending content. Since the site is no longer malicious, we remove the malware tag, and Investigate shows the change.
Updated 2 months ago