The investigate-ui Developer Hub

Welcome to the investigate-ui developer hub. You'll find comprehensive guides and documentation to help you start working with investigate-ui as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Passive DNS Timeline

The timeline section displays DNS queries, domain events, and DNS changes. You can see a domain's evolution over time and view up to four years of DNS changes.

The new passive DNS timeline is currently in beta and replaces the previous timeline section. To read about the previous timeline, see our Timeline documentation. To learn more about passive DNS, see Passive DNS.


The timeline is at the top of the domain view. It contains the DNS query graph and event history sections.

DNS Query Graph

In the DNS query graph part of the timeline, there are three icons used.

  • Blue Line—The volume of DNS queries over the last 30 days.
  • Diamond—Domain events. The icon is colored red for malware, command and control, and phishing. It is colored yellow for other security events.
  • Pentagon—DNS changes, such as A record changes. We store DNS changes for up to four years.

Event History

The event history part of the timeline uses three lines, from top to bottom, to represent the following event types.

  • DNS Changes—The top line uses dark grey to show DNS record events, such as A record changes.
  • Security Categories—The middle line shows Umbrella security categorization events. Red represents malware, command and control, and phishing. Yellow represents other security events.
  • Query History—The bottom line uses blue to show time periods with DNS query history available.

Click on the domain events or DNS changes icons to see details. A panel opens to show events, grouped by resource record type and date. If there is more than one event for the selected period, the icon will show the number of events it has.

In the event history part of the timeline, the following icons are used.

  • Person—Domain registration date.
  • Eye—Date that the domain was first seen by our resolvers.
  • Clock—Domain registration expiration date.

To see information, mouse over the icon.

Timeline < Passive DNS Timeline > DNS Resolution

Updated about a year ago

Passive DNS Timeline

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.