Passive DNS (pDNS)¶
The Passive DNS (pDNS) panel shows current and historical DNS resolutions, providing insights into domain-to-IP mappings, name servers, mail servers, and other DNS records with timestamps.
Note: Flexible/regex search functionality is documented in Flexible Search.
What is Passive DNS?¶
Passive DNS captures DNS query and response data from sensors positioned above the Recursive DNS Server layer. This provides historical records of DNS resolutions, showing when domains resolved to specific IP addresses and how long those resolutions persisted.
Access pDNS¶
Query pDNS data from:
- A search in the Iris Investigate interface
- The Operations Menu (right-click any domain or IP)
- Direct navigation to the pDNS panel
Supported record types¶
The pDNS panel supports these DNS record types:
| Record Type | Description |
|---|---|
| A | IPv4 resolutions for domains and subdomains/hostnames |
| AAAA | IPv6 resolutions for domains and subdomains |
| NS | Name server records |
| SOA | Start Of Authority email addresses and name servers |
| MX | Mail server host names and IP addresses |
| CNAME | Alias records mapping one hostname to another |
| TXT | Optional catch-all record that may contain arbitrary descriptive information |
By default, the pDNS panel shows A records only. Select other record types from the dropdown.
Understanding pDNS results¶
The pDNS panel displays results in columns:
Query : The Fully Qualified Domain Name (FQDN), domain, or subdomain that was queried via DNS. Also known as the question, left-hand-side data, or RRNAME.
Source : The pDNS provider that supplied this observation. Iris Investigate aggregates data from multiple sources.
Type : The DNS record type (A, AAAA, CNAME, MX, NS, SOA, or TXT). Also known as RRTYPE.
Count : The number of times this specific combination of Query, Type, and Response has been observed by the Source. Since pDNS sensors capture "cache misses," the count doesn't represent total traffic volume.
Response : The answer provided by the authoritative name server. The data type depends on the record Type. Also known as the answer, right-hand-side data, or RDATA.
First Seen : Timestamp when the pDNS source first captured this observation. Date-only values indicate the source doesn't provide time-level granularity.
Last Seen : Timestamp when the pDNS source most recently captured this observation. Date-only values indicate the source doesn't provide time-level granularity.
Duration
: Time span between First Seen and Last Seen. A tilde (~) indicates an approximate time frame.
Query vs response directions¶
Note: This section uses A records as an example. Other record types are also supported.
pDNS data is available from two 'directions':
- Query direction (rrname): Shows historical results for when the domain was queried and IP addresses were returned
- Response direction (rdata): Shows historical results for when the IP or IP CIDR range was queried and domain(s) were returned
Each query returns either query data or response data, not both.
The response direction often yields fewer or no records. This is because in DNS A records, domain is the query and the IP address is the response. If you enter a domain with the toggle set to response, or an IP address with the toggle set to query, try flipping the toggle and re-running the search if no results appear.
Time fencing¶
Filter pDNS results by date using Seen After and Seen Before fields.
Strict mode (enabled by default) controls which observations appear:
- Strict ON (default): Shows only observations that fall entirely within the specified date range. Aligns with DNSDB Scout behavior.
- Strict OFF: Shows observations that overlap with the date range, even if they extend beyond it.
Apex domains¶
The pDNS Panel supports searching by:
- Apex domain only
- Subdomain only
- Both apex domain and subdomains
An apex domain (also called a root domain or naked domain) is the base domain without any subdomain prefix. For example, example.com is the apex domain, while www.example.com and mail.example.com are subdomains.
Send results to Pivot Engine¶
To send pDNS results to the Pivot Engine:
- In the pDNS panel, locate the Send domain results to pivot engine button.
- Select Send domain results to pivot engine.
- The domains from your pDNS results populate the Pivot Engine.
You can then modify or restart your search using pivots on the transferred results.
Flexible/regex search¶
For pattern-based domain discovery using regular expressions, see Flexible Search.
See also¶
- Domain Profile: Current domain snapshot
- IP Panels: IP address details and tools
- Flexible Search: Pattern-based domain discovery
- Domain History: Track changes over time