Man monitoring servers

Spamhaus Technology Passive DNS service

The internet works through a system of domain name servers (DNS) resolving queries from client machines. If a DNS resolver is unable to return a domain name from its cache, it sends a recursive request to other name servers: a situation known as a cache miss.

Cache misses can be maliciously caused by DDoS traffic and cache poisoning, causing internet users to experience delays in reaching websites.

Security researchers are able to use cache misses to retrace recursive queries, map connections and identify new bad domains. This passive DNS replication reconstructs a partial view of DNS queries and resolution and can be used to reveal the internet pathways between cybercriminals and DNS servers, without capturing IP addresses of client devices, or compromising the privacy of internet users.

Spamhaus operates its own passive DNS sensor network, gathering this anonymized DNS query data from thousands of recursive DNS servers around the world.

Created through links with service providers and a community of security researchers who are dedicated to combatting DNS abuse, Spamhaus Technology’s passive DNS datasets compile domains that are, or have been directly associated with cybercrime.

Studying passive DNS data allows researchers to track which domain names are hosted by particular name servers and which domain names point to which IP networks. They can also see where domain names used to point to and which subdomains exist below a certain domain name.

By uncovering the links between name servers and domains, Passive DNS helps to identify new bad domains as soon as they are live. Our Passive DNS datafeed can be used as a real-time threat intelligence tool: helping you to proactively protect your users’ devices from connecting to bad domains.

Spamhaus Technology Passive DNS is available as a raw dataset:

Through our web portal - designed for information security professionals and cyber incident response analysts who want to carry out digital forensics, and security researchers who want to investigate what sort of activity is associated with particular IP ranges, or analyse the relationships between DNS queries and responses.

Through an API – for security vendors and expert users who wish to integrate our raw datasets with their own software and security platforms.

On the wire – for security researchers and law enforcement agencies who wish to continuously monitor live recursive DNS traffic to aid the identification of new malicious domains, emerging threats or cybercriminal trends.

Please click for further information on our Passive DNS service.

Discover why we’re the most trusted Mailfilter and Security solution with a 30 day free trial

Our customers

Many of the world’s largest internet service providers rely on Spamhaus threat intelligence to block harmful email traffic and protect their customers.

AOL Logo
Microsoft Logo
AT&T Logo
Comcast Logo
COX Logo
1∧1 Logo
Century Link Logo
 Mail RU Logo
Time Warner Cable Logo
Sonic Net Logo

With over 12 years experience, we are trusted experts

Get in touch

Latest News

Brian Krebs | Bitcanal - "Hijack Factory" Shunned from Web

Brian Krebs covers the Bitcanal "Hijack Factory" story which hit the news this week. In the article Krebs highlights that virtually all of Bitcanal's IP address ranges had been listed by Spamhaus.

Read more

Doug Madory | Shutting down the BGP Hijack Factory - Bitcanal

This week sees Spamhaus featuring in the news again. Bitcanal, a notorious bad actor, who has continually hijacked Border Gateway Protocol (BGP) routes, has effectively been kicked off the internet. Doug Madory, Director of Internet Analysis at Oracle Dyn, takes an in-depth look at the story: Shutting down the BGP Hijack Factory.

Read more

Connect with Spamhaus Technology

Keep up to date with the latest news at Spamhaus Technology.