Passive DNS

The best active and passive DNS data sets anywhere

Request a DemoWatch the Demo

Add Passive DNS to Iris Investigate and Take Your Investigations to the Next Level

DomainTools incorporates world-class passive DNS data from its Farsight division as well as several other top-tier providers to integrate passive DNS data into Iris Investigate. Complementing the active DNS resolutions performed by DomainTools, passive DNS providers capture domain-to-IP mappings observed “in the wild” across the globe. Many of the world’s most advanced security teams rely daily on passive DNS to support their threat hunting, incident response, and adversary analysis activities. Armed with such data, analysts can learn many valuable things:

  • What are all of the domains observed on a given IP address?
  • What are the IP addresses that a given domain uses, or has used?
  • When did DNS requests for a given domain first appear?
  • What are the subdomains tied to a given domain, or observed on a given IP address?

How does passive DNS advance cyber threat investigations?

It provides fine-grained correlation of the timing of events such as attacks or breaches with domain and hostname resolutions for malicious infrastructure.

  • It provides evidence of unusual DNS behavior such as fast-flux configurations.
  • It provides comprehensive context on IP addresses by showing what domains are currently, or were previously, hosted on them. This can help an analyst determine whether an IP is part of a given adversary’s infrastructure.
  • It can also help the analyst decide whether the IP warrants blocking.
  • It gives the analyst insight into the nature of a domain by exposing subdomains. For example, DomainTools has observed that subdomains such as “account,” “login,” “download,” and others, may appear more frequently in malicious domains than in neutral ones.

How does passive DNS advance cyber threat investigations?

Contact [email protected] to add this premium feature to your Iris Investigate subscription.

Confidence in the Data

The most trusted online infrastructure data. Anywhere.


Near real-time risk scoring on all newly registered and discovered domains


>97% of currently registered domains


Sophisticated associations across datasets to accelerate action.

Related Iris Investigat Support & Learning

A selection of documents and materials related to DomainTools industry topics.

Indicators Over Cocktails

Join Tim Helming for a recurring series of fun, informal demonstrations of Domain Tools products and features, with a different featured beverage each episode. You can expect an investigation of timely, interesting indicators that expose relevant and often stillemerging adversary infrastructure.