Man monitoring servers

Spamhaus Technology Passive DNS service

The internet works through a system of domain name servers (DNS) resolving queries from client machines. If a DNS resolver is unable to return a domain name from its cache, it sends a recursive request to other name servers: a situation known as a cache miss.

Cache misses can be maliciously caused by DDoS traffic and cache poisoning, causing internet users to experience delays in reaching websites.

Security researchers are able to use cache misses to retrace recursive queries, map connections and identify new bad domains. This passive DNS replication reconstructs a partial view of DNS queries and resolution and can be used to reveal the internet pathways between cybercriminals and DNS servers, without capturing IP addresses of client devices, or compromising the privacy of internet users.

Spamhaus operates its own passive DNS sensor network, gathering this anonymized DNS query data from thousands of recursive DNS servers around the world.

Created through links with service providers and a community of security researchers who are dedicated to combatting DNS abuse, Spamhaus Technology’s passive DNS datasets compile domains that are, or have been directly associated with cybercrime.

Studying passive DNS data allows researchers to track which domain names are hosted by particular name servers and which domain names point to which IP networks. They can also see where domain names used to point to and which subdomains exist below a certain domain name.

By uncovering the links between name servers and domains, Passive DNS helps to identify new bad domains as soon as they are live. Our Passive DNS datafeed can be used as a real-time threat intelligence tool: helping you to proactively protect your users’ devices from connecting to bad domains.

Spamhaus Technology Passive DNS is available as a raw dataset:

Through our web portal - designed for information security professionals and cyber incident response analysts who want to carry out digital forensics, and security researchers who want to investigate what sort of activity is associated with particular IP ranges, or analyse the relationships between DNS queries and responses.

Through an API – for security vendors and expert users who wish to integrate our raw datasets with their own software and security platforms.

On the wire – for security researchers and law enforcement agencies who wish to continuously monitor live recursive DNS traffic to aid the identification of new malicious domains, emerging threats or cybercriminal trends.

Please click for further information on our Passive DNS service.

Discover why we’re the most trusted Mailfilter and Security solution with a 30 day free trial

Our customers

Many of the world’s largest internet service providers rely on Spamhaus threat intelligence to block harmful email traffic and protect their customers.

AOL Logo
Microsoft Logo
AT&T Logo
Comcast Logo
COX Logo
1∧1 Logo
Century Link Logo
Facebook Logo
 Mail RU Logo
Time Warner Cable Logo
Yahoo Logo
Sonic Net Logo

With over 12 years experience, we are trusted experts

Get in touch


Latest News

Choking the botnets - RPZ protecting a client's users across the USA.

Email security providers are reducing the risks from recently registered Domains thanks to the new 'Zero Reputation Domain' data list from Spamhaus

Read more

Recently registered Domains - how to avoid the risks

Email security providers are reducing the risks from recently registered Domains thanks to the new 'Zero Reputation Domain' data list from Spamhaus

Read more

Spamhaus Technology adds DGA domains to RPZ

Last Thursday Spamhaus Technology added DGA domains to the Spamhaus Technology Botnet Control and Command RPZ (Response Policy Zones). This resulted in the RPZ increasing in size from around 500 entries to 1.2 million.

Read more

Connect with Spamhaus Technology

Keep up to date with the latest news at Spamhaus Technology.