Passive DNS

The Passive DNS endpoint (/pdns/) provides historical data from our resolvers for domains, IPs, and other resource records.

The new passive DNS API endpoint is currently in beta and will eventually replace the Timeline and Classifiers endpoints. To read about Timeline and Classifiers, see our documentation.

Our passive DNS and security categorization data gives you useful information for threat research. Unlike querying live records, you avoid alerting bad actors to your investigation. To learn more, see Passive DNS.

The Passive DNS API endpoint includes the following endpoints:

  • Domains—Returns the Resource Record (RR) data for DNS responses, and categorization data, where the answer (or rdata) is the domain(s).
  • Names—Returns data from DNS queries that our resolvers received, and categorization data.
  • IP Addresses—Returns the Resource Record (RR) data for DNS responses, and categorization data, where the answer (or data) is the IP address.
  • Timeline—Returns a snapshot of passive DNS and categorization history for a queried domain name.
  • Raw—Returns passive DNS and categorization data for a queried resource record. The query is interpreted as a domain name, IP address, or text. If the query type is not recognized, raw/unnormalized DNS responses are returned. /pdns/raw/ is also available for querying based on hex encoded values.

The passive DNS endpoint will return the dates of any changes for a resource, and what the changes were. You can query the categorization history of a resource for up to the past four years.

For example, we may block a site for hosting malicious content. The owner may then patch the site and remove the offending content. Since the site is no longer malicious, we remove the malware tag, and Investigate shows the change.


Timeline and Classifiers < Passive DNS > Domains

Passive DNS


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.