This chapter covers passive DNS reconnaissance techniques, a critical skill for the Reconnaissance and Enumeration domain of the PT0-002 exam. Passive DNS allows penetration testers to gather historical DNS data about a target without directly querying the target's infrastructure, reducing the risk of detection. Approximately 10-15% of exam questions touch on DNS reconnaissance, and understanding passive methods is essential for both the multiple-choice and performance-based sections. You will learn how to leverage public passive DNS databases, interpret the data, and apply the findings to map attack surfaces effectively.
Jump to a section
Imagine a vast public library where every book ever published is cataloged, but the catalog is not a single book—it's a massive, distributed set of index cards spread across thousands of libraries worldwide. Each time a patron checks out a book, the librarian writes down the patron's name, the book title, and the date. Over time, these records accumulate. Now, you are a detective investigating who has been reading books about 'explosives' and 'lock-picking'. You cannot ask the librarians directly (that would be active reconnaissance and alert them). Instead, you visit the library's discarded, publicly available checkout logs that were accidentally left in the recycling bin. These logs show every book ever checked out, but they are not in perfect order—some cards are missing, some are duplicates, and the dates might be slightly off. You piece together a timeline of when certain books were popular and which patrons were interested in which topics. This is passive DNS reconnaissance: you collect historical DNS resolution data from public sources (like passive DNS databases) without ever querying the target's own DNS servers. You see the 'checkout records' of domain-to-IP mappings over time—when a domain resolved to an IP, for how long, and what other domains shared that IP. You never touch the target's infrastructure; you only analyze the historical traces left in third-party databases. The analogy breaks down in that the library card catalog is centralized, whereas passive DNS data is aggregated from multiple sources (sensor networks, recursive resolvers) and is often incomplete or delayed. But the core idea holds: you are analyzing historical artifacts, not making active queries.
What is Passive DNS Reconnaissance?
Passive DNS (pDNS) reconnaissance is the process of collecting and analyzing DNS resolution data from third-party sources without sending any queries to the target's own DNS servers. Unlike active DNS reconnaissance (e.g., direct queries, zone transfers, brute-force subdomain enumeration), passive DNS relies on historical records captured by sensors deployed across the internet. These sensors, often placed at recursive resolvers or authoritative name servers, log DNS queries and responses. The aggregated data is then made available through public or commercial databases (e.g., VirusTotal, CIRCL, PassiveTotal, SecurityTrails). For the PT0-002 exam, you must understand how to access these databases, interpret the results, and use them to identify subdomains, IP addresses, and infrastructure relationships without alerting the target.
How Passive DNS Works Internally
Passive DNS operates on a simple principle: collect, store, and query. The data collection phase involves sensors that capture DNS traffic. These sensors are typically deployed at strategic points in the network, such as: - Recursive resolvers: Sensors log queries that pass through the resolver. - Authoritative name servers: Sensors log responses from the authoritative server. - Network taps: Sensors capture DNS traffic at internet exchange points or large network backbones.
Each DNS query or response is logged with metadata: timestamp, source IP (if available), queried domain, record type (A, AAAA, MX, NS, etc.), response data (IP address, canonical name, etc.), and sometimes the DNS server that provided the answer. The logs are then normalized and stored in a database. When a penetration tester queries a passive DNS database for a domain (e.g., example.com), the database returns all historical records that match that domain, along with the first seen and last seen timestamps. This allows the tester to see:
All IP addresses the domain has resolved to over time.
All subdomains that have been queried (e.g., mail.example.com, www.example.com).
Other domains that share the same IP address (indicating co-hosting or shared infrastructure).
Changes in DNS records over time (e.g., when a domain switched from one IP to another).
Key Components, Values, Defaults, and Timers
- Record Types: Passive DNS databases support various DNS record types. The most common for reconnaissance are:
- A/AAAA: IPv4/IPv6 addresses. Critical for identifying web servers, mail servers, etc.
- CNAME: Canonical name records. Reveal aliases and CDN usage.
- MX: Mail exchange records. Identify email servers.
- NS: Name server records. Identify DNS hosting providers.
- TXT: Text records. Often contain SPF, DKIM, DMARC, or verification strings.
- Timestamps: Each record includes first_seen and last_seen timestamps. The granularity varies by provider (e.g., daily, hourly). The PT0-002 exam may test your ability to interpret these timestamps to determine when a service was active.
- TTL: Some passive DNS databases also include the TTL value from the original DNS response. This can help identify if a domain uses short TTLs (e.g., for load balancing) or long TTLs (e.g., static infrastructure).
- Sensors: The number and placement of sensors affect data completeness. Commercial databases like PassiveTotal have thousands of sensors; open-source databases like CIRCL have fewer. The exam may ask about the limitations of passive DNS data, such as incomplete coverage or delayed updates.
- APIs: Most passive DNS providers offer RESTful APIs. For example, the CIRCL passive DNS API endpoint is https://www.circl.lu/pdns/query/<domain>. The PT0-002 exam does not require memorizing specific API syntax, but you should know that such APIs exist and can be used to automate queries.
Configuration and Verification Commands
While passive DNS is primarily a web-based or API-driven technique, some tools integrate passive DNS lookups. For example: - dnsrecon: Supports passive DNS via Google (though this is limited). - theHarvester: Can query passive DNS sources like Baidu, Google, and Bing. - Amass: Has built-in support for multiple passive DNS sources (e.g., AlienVault, Censys, CertSpotter).
Example using curl to query the CIRCL passive DNS API:
curl -s -u '<username>:<password>' https://www.circl.lu/pdns/query/example.com | jq .This returns a JSON array of records. For the exam, you don't need to know exact API keys, but you should understand the concept of authenticated API access.
Interaction with Related Technologies
Passive DNS is often used in conjunction with: - Certificate Transparency (CT) logs: CT logs provide SSL/TLS certificate issuance records, which often contain domain names and subdomains. Combining passive DNS with CT log data gives a more complete picture of a target's web presence. - WHOIS: WHOIS records provide domain registration details. Passive DNS can reveal IP history, which may help identify domains registered by the same entity. - Reverse IP lookups: Given an IP address, passive DNS can show all domains that have resolved to that IP. This is useful for identifying virtual hosts on shared hosting. - Threat intelligence platforms: Passive DNS is a core component of many threat intelligence feeds. For example, if a domain resolves to a known malicious IP, passive DNS can show when the association began.
Limitations of Passive DNS
Incomplete data: Not all DNS queries are captured. Sensors may miss traffic from certain regions or networks.
Delayed updates: There is a lag between when a DNS change occurs and when it appears in passive DNS databases. This can be hours to days.
False positives: A domain may have resolved to an IP for a brief period due to a misconfiguration or test. Historical records may show that IP even if it is no longer relevant.
Privacy concerns: Some passive DNS providers anonymize source IPs or limit access to vetted researchers. The exam may test your understanding of these limitations.
Step-by-Step: Performing Passive DNS Reconnaissance
Identify Target Domain(s): Start with the root domain of the target organization (e.g., example.com). This is the starting point for all DNS reconnaissance.
Query Passive DNS Databases: Use a passive DNS provider (e.g., SecurityTrails, PassiveTotal, CIRCL) to retrieve all historical records for the target domain. Look for A, AAAA, CNAME, MX, and NS records. Note the first and last seen timestamps.
Extract Subdomains: From the records, extract all unique subdomains (e.g., mail.example.com, www.example.com, admin.example.com). These are potential attack surfaces.
Identify IP Addresses: For each subdomain, note the IP addresses it has resolved to. Multiple subdomains sharing the same IP indicate that they are hosted on the same server.
Perform Reverse IP Lookups: For each IP address found, query the passive DNS database for all domains that have ever resolved to that IP. This reveals other domains hosted on the same server, which may belong to the same organization or be part of a shared hosting environment.
Analyze Timelines: Look for patterns in the timestamps. For example, if a domain suddenly resolves to a new IP and the old IP is no longer used, that may indicate a migration. If a subdomain appears only briefly, it may have been used for a test or a temporary service.
Correlate with Other Sources: Cross-reference the findings with CT logs, WHOIS records, and active DNS queries (if safe to do so) to validate and enrich the data.
Example Scenario
A penetration tester is assessing targetcorp.com. Using SecurityTrails, they query the domain and find the following records:
- targetcorp.com A record resolved to 203.0.113.1 (first seen: 2020-01-01, last seen: 2024-01-01).
- mail.targetcorp.com A record resolved to 203.0.113.2 (first seen: 2020-06-01, last seen: 2024-01-01).
- www.targetcorp.com CNAME record pointed to targetcorp-cdn.examplecdn.net (first seen: 2022-01-01, last seen: 2024-01-01).
- dev.targetcorp.com A record resolved to 198.51.100.10 (first seen: 2023-03-01, last seen: 2023-12-01).
From this, the tester learns:
The main website uses a CDN (CNAME to CDN provider).
The development subdomain dev.targetcorp.com was briefly active on a different IP, which may be a staging server.
The mail server is on a separate IP.
The tester then performs a reverse IP lookup on 198.51.100.10 and finds that it also hosts test.othercompany.com, suggesting a shared hosting environment. This information can be used to plan further attacks (e.g., testing for virtual host routing).
Identify Target Domain
Begin with the root domain of the target organization, e.g., `example.com`. This is the starting point for all DNS reconnaissance. Ensure you have the correct domain; typos or variations may lead to irrelevant data. For the PT0-002 exam, you may be given a domain and asked to perform passive DNS analysis. Always confirm the domain is the primary domain of the target.
Query Passive DNS Databases
Use a passive DNS provider such as SecurityTrails, PassiveTotal, or CIRCL. Query the target domain to retrieve all historical DNS records. The response typically includes record type, value (IP or CNAME target), first seen, and last seen timestamps. For example, querying `example.com` may return multiple A records showing IP changes over time. Note that some providers require authentication or API keys.
Extract Subdomains
From the query results, extract all unique subdomains (e.g., `mail.example.com`, `www.example.com`, `admin.example.com`). These represent potential attack surfaces. Pay attention to subdomains that appear only briefly or have unusual names (e.g., `test`, `dev`, `staging`). The exam may ask you to identify subdomains from a passive DNS output.
Identify IP Addresses
For each subdomain, note the IP addresses it has resolved to. Multiple subdomains sharing the same IP indicate they are hosted on the same server. This is useful for identifying server consolidation or shared hosting. Also note the timestamps: if a subdomain changed IPs, it might indicate a migration or load balancing.
Perform Reverse IP Lookups
For each IP address found, query the passive DNS database for all domains that have ever resolved to that IP. This reveals other domains hosted on the same server, which may belong to the same organization or be part of a shared hosting environment. Reverse IP lookups can uncover additional targets for testing.
Analyze Timelines and Correlate
Look for patterns in the timestamps. For example, if a domain suddenly resolves to a new IP and the old IP is no longer used, that may indicate a migration. If a subdomain appears only briefly, it may have been used for a test or a temporary service. Cross-reference findings with CT logs and WHOIS to validate and enrich the data. This step helps build a comprehensive attack surface map.
In a typical penetration test for a large enterprise, passive DNS reconnaissance is one of the first steps during the reconnaissance phase. For example, a tester targeting a financial institution might start with the root domain bigbank.com. Using SecurityTrails, they query the domain and find that the main website resolves to a CDN IP (e.g., 151.101.1.1) via a CNAME to bigbank.cdn.cloudflare.net. They also discover subdomains like mobile.bigbank.com (hosting a mobile banking portal) and api.bigbank.com (hosting REST APIs). The passive DNS data shows that api.bigbank.com previously resolved to an internal IP range (e.g., 10.0.0.0/8) during a development phase, indicating that the API was once internally hosted before moving to the cloud. This historical data gives the tester insight into the organization's infrastructure evolution.
Another common scenario is during red team operations where stealth is paramount. The team uses passive DNS to identify all subdomains without alerting the target's DNS servers. For instance, they query CIRCL's passive DNS database for target.org and find a subdomain vpn.target.org that resolved to a public IP 203.0.113.5. A reverse IP lookup on that IP reveals it also hosts remote.target.com, suggesting that the organization uses a shared VPN concentrator. This allows the red team to focus their efforts on that specific IP for potential VPN vulnerabilities.
In a cloud migration assessment, passive DNS can reveal shadow IT or forgotten assets. A company might have moved all services to AWS, but passive DNS shows that old-app.company.com still resolves to an on-premises IP that is no longer maintained. This is a classic example of an attack surface that the organization is unaware of. The tester reports this as a high-risk finding.
Performance considerations: Passive DNS databases are large and queries can be slow. Commercial providers offer faster APIs but may have rate limits. Open-source databases like CIRCL are free but have less coverage. Misconfigurations often occur when testers rely solely on passive DNS and miss subdomains that were never queried (i.e., never seen by sensors). For example, a subdomain that only receives internal traffic may never appear in passive DNS. Therefore, passive DNS should be complemented with active techniques when stealth is not required.
The PT0-002 exam tests passive DNS reconnaissance under Objective 2.1 (Given a scenario, perform passive reconnaissance). Specifically, you should be able to:
Identify appropriate passive DNS sources (e.g., VirusTotal, SecurityTrails, PassiveTotal, CIRCL).
Interpret passive DNS output, including record types, timestamps, and IP addresses.
Differentiate between passive and active DNS techniques.
Understand the limitations: incomplete data, delayed updates, and privacy concerns.
Use passive DNS in conjunction with other sources like CT logs and WHOIS.
Common wrong answers on the exam: 1. Confusing passive DNS with active DNS zone transfer: Zone transfer is an active technique that directly queries the authoritative name server. Passive DNS never touches the target's servers. A common trap question asks 'Which technique uses historical DNS data without querying the target?' The wrong answer is 'zone transfer' because it involves querying the authoritative server. 2. Assuming passive DNS is real-time: Passive DNS data is historical and can be hours or days old. Candidates often choose 'real-time DNS lookup' as an answer, but that is active. The exam may present a scenario where a tester needs current DNS data; passive DNS would not be suitable. 3. Overlooking the need for authentication: Some passive DNS providers require an API key or account. A question might ask 'Which of the following is required to query CIRCL passive DNS?' The answer is 'authentication credentials'. 4. Mistaking passive DNS for reverse DNS: Reverse DNS (PTR records) is a different concept. Passive DNS can show reverse lookups only if the data was captured. The exam may have a distractor that says 'passive DNS uses PTR records'—that is false.
Specific numbers and terms:
The term 'first_seen' and 'last_seen' appear verbatim in output examples.
Common record types: A, AAAA, CNAME, MX, NS, TXT.
Providers: CIRCL (free), PassiveTotal (commercial), SecurityTrails (commercial), VirusTotal (free tier).
API endpoints: e.g., https://www.circl.lu/pdns/query/<domain>.
Edge cases:
A domain may have multiple A records at the same time (round-robin). Passive DNS shows all of them.
CNAME records may point to a domain that no longer exists. The historical record remains.
Private IP addresses (RFC 1918) may appear if the DNS response was captured internally, but most passive DNS databases filter them out.
How to eliminate wrong answers: Focus on the key distinction: passive vs. active. If the technique involves sending packets to the target's infrastructure, it is active. If it relies on third-party historical data, it is passive. Also, remember that passive DNS cannot discover subdomains that were never queried by any client whose traffic was captured by sensors.
Passive DNS reconnaissance uses historical DNS data from third-party sensors without querying the target.
Common passive DNS sources include CIRCL, PassiveTotal, SecurityTrails, and VirusTotal.
Passive DNS records include type, value, first_seen, and last_seen timestamps.
Passive DNS can reveal subdomains, IP history, and co-hosted domains via reverse IP lookups.
Limitations: incomplete coverage, delayed updates, and no access to internal-only subdomains.
Passive DNS is a stealthy technique suitable for red team operations where detection must be avoided.
Combine passive DNS with CT logs and WHOIS for a more complete reconnaissance picture.
These come up on the exam all the time. Here's how to tell them apart.
Passive DNS Reconnaissance
No direct queries to target's DNS servers; uses third-party historical data.
Stealthy; does not alert the target.
Data may be incomplete or outdated (hours to days old).
Can reveal historical IP changes and co-hosted domains.
Relies on external databases (e.g., CIRCL, SecurityTrails).
Active DNS Reconnaissance
Directly queries target's DNS servers (e.g., nslookup, dig, zone transfer).
Can be detected by the target (e.g., DNS logs).
Provides real-time, current DNS data.
Cannot see historical records unless the target's DNS server logs are accessible.
Uses standard DNS tools and protocols.
Mistake
Passive DNS is real-time and always current.
Correct
Passive DNS data is historical. There is a delay (hours to days) between when a DNS change occurs and when it appears in passive databases. It is not suitable for real-time monitoring.
Mistake
Passive DNS can discover all subdomains of a domain.
Correct
Passive DNS only shows subdomains that have been queried by clients whose traffic was captured by sensors. Subdomains that are never queried externally (e.g., internal-only) will not appear.
Mistake
Passive DNS is the same as a DNS zone transfer.
Correct
A zone transfer is an active query to the authoritative name server that requests all records. Passive DNS collects data from third-party sensors without contacting the target's servers.
Mistake
Passive DNS databases contain only A records.
Correct
Passive DNS databases store all observed DNS record types, including A, AAAA, CNAME, MX, NS, TXT, and more.
Mistake
Passive DNS is completely free and unlimited.
Correct
Some passive DNS providers offer free tiers with limited queries or data, while others require a paid subscription. Access may also require authentication.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Passive DNS collects historical DNS resolution data from third-party sensors without querying the target's own DNS servers. Active DNS involves directly querying the target's DNS servers (e.g., using nslookup or dig). Passive DNS is stealthy but may have outdated or incomplete data, while active DNS provides real-time results but can be detected.
Common sources include CIRCL (free, open-source), PassiveTotal (commercial, now part of Recorded Future), SecurityTrails (commercial), and VirusTotal (free tier with DNS history). Each has different coverage and API capabilities.
No. Passive DNS only shows subdomains that have been queried by clients whose traffic was captured by sensors. Subdomains that are never queried externally (e.g., internal-only services) will not appear. It is best used in combination with active techniques.
Query the passive DNS database for a specific IP address to retrieve all domains that have ever resolved to that IP. For example, using CIRCL: `curl -s -u '<user>:<pass>' https://www.circl.lu/pdns/query/203.0.113.1` returns a list of domains.
A passive DNS record typically includes the domain name, record type (A, AAAA, CNAME, etc.), the value (IP or target), first seen timestamp, last seen timestamp, and sometimes the TTL. Some providers also include the sensor count or count of observations.
No. Data can be incomplete due to limited sensor coverage, delayed due to processing time, or contain false positives (e.g., a domain briefly resolving to an IP due to a test). Always cross-reference with other sources.
No, but you should be familiar with the concept that passive DNS databases have APIs and that some require authentication. The exam may present a scenario where you choose the correct tool or source for passive reconnaissance.
You've just covered Passive DNS Reconnaissance Techniques — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?