Information, OpenSourceSoftware, passivedns, Security

Passive DNS and PassiveDNS/PRADS

For those of you not familiar with the concept of Passive DNS, there are lots of stuff on it on the intertubes…

Just some of the links:
Some use cases:
A public passive dns db:
Or just click here:

I have not found any good tools yet that lets you build your own passive DNS DB, so I have started to walk down that path…
First off, I have coded a DNS sniffer (passivedns) I have ported the same functionality over into PRADS. All code is in beta at the moment.

I announce this release, so if anyone is interested, I will take input on the output format 🙂
My first tests shows that the passive DNS data collected on a small network is too much… My plan is to implement a in memory “state” so that it don’t prints out the same record more than X times over a time interval (say, if a record is the same, just print it once a day, but if it changes, print it immediate). When that is done, Ill write a parser to feed it into a DB and a query tool to fetch passive DNS records on request.

Feedback is always welcome!


4 thoughts on “Passive DNS and PassiveDNS/PRADS

  1. Bryan N says:

    Potentially very handy tool, is there any plans to have an option to print all DNS queries (like httpry but for DNS)

    i.e. replacing the “hostname” placeholder with the actual ip of the device making the DNS query?



    • One of my goals with the post was to get some feedback on what information people think should be in the output format. ATM. geting the query_src_ip is not trivial, but geting the dst_ip is (The IP the server sends the DNS reply to). In most common cases, the dst_ip should be the same as query_src_ip. But all this is spoofable, so one needs to build in (at least) some basic udp-session tracking (A client needs to ask for a record before the server send the answer to it.). Great input Byan. Thanks.


  2. potato: If you could make them public, that would be great. Maybe post them on the Bro email list (Im also there). But yes, I would be interested in such 🙂 The thing with a small app that just does passivedns is that you dont have to install “too much” for a simple thing. I know some CERTs that would love this tool, but can not implement Bro, as Bro has functions that the CERT would have problem explaining to legal people etc.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s