{
	"id": "cfb69577-4af6-4af4-a1c5-a501b2bfa6c1",
	"created_at": "2026-04-06T01:30:15.55Z",
	"updated_at": "2026-04-10T03:21:49.538439Z",
	"deleted_at": null,
	"sha1_hash": "b63ec1d08a66f06ea48aea49ad0f6585e80401e9",
	"title": "Passive DNS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105923,
	"plain_text": "Passive DNS\r\nArchived: 2026-04-06 01:11:18 UTC\r\nPassive DNS version 2.0\r\nCIRCL Passive DNS is a database that stores historical DNS records from various resources, including malware\r\nanalysis and partners. The DNS historical data is indexed, making it searchable for incident handlers, security\r\nanalysts, or researchers.\r\nIn November 2023, CIRCL released version 2.0 of its Passive DNS service. The new version is backward-compatible with the previous 1.0 version. The output format remains Passive DNS - Common Output Format, and\r\nthe query interface is similar. New headers were introduced to support some new functionalities, including\r\nfiltering and pagination. If no headers are set, the Passive DNS API falls back to the previous 1.0 version’s\r\nbehavior.\r\nAccess to CIRCL Passive DNS\r\nAccess to CIRCL Passive DNS is restricted to trusted partners both in Luxembourg and abroad. If you are\r\ninterested in gaining access, please contact us and provide details about your affiliation and the intended use of the\r\nPassive DNS data.\r\nAPI documentation\r\nHow to Use the Service\r\nCIRCL Passive DNS is accessible via a REST API, and the output format is in JSON following the Passive DNS -\r\nCommon Output Format.\r\nThe REST API is accessible via the following URL:\r\nhttps://www.circl.lu/pdns/query/\u003cqueryvalue\u003e\r\nQuery values can be any records such as IP addresses, hostnames, or domain names (please note that CIDR block\r\nqueries are not supported).\r\nhttps://www.circl.lu/services/passive-dns/\r\nPage 1 of 5\n\nFor example:\r\nhttps://www.circl.lu/pdns/query/circl.lu\r\n1{\"rrtype\": \"A\", \"rrname\": \"185.194.93.14\", \"rdata\": \"circl.lu\", \"count\": \"19\", \"time_first\": \"169679\r\n2{\"rrtype\": \"AAAA\", \"rrname\": \"2a00:5980:93::14\", \"rdata\": \"circl.lu\", \"count\": \"18\", \"time_first\":\r\n3{\"rrtype\": \"MX\", \"rrname\": \"10 cppy.circl.lu\", \"rdata\": \"circl.lu\", \"count\": \"149\", \"time_first\": \"1\r\n4{\"rrtype\": \"NS\", \"rrname\": \"ns1.eurodns.com\", \"rdata\": \"circl.lu\", \"count\": \"5\", \"time_first\": \"1696\r\n5{\"rrtype\": \"NS\", \"rrname\": \"ns2.eurodns.com\", \"rdata\": \"circl.lu\", \"count\": \"5\", \"time_first\": \"1696\r\n6{\"rrtype\": \"NS\", \"rrname\": \"ns3.eurodns.com\", \"rdata\": \"circl.lu\", \"count\": \"5\", \"time_first\": \"1696\r\n7{\"rrtype\": \"NS\", \"rrname\": \"ns4.eurodns.com\", \"rdata\": \"circl.lu\", \"count\": \"5\", \"time_first\": \"1696\r\n8{\"rrtype\": \"SOA\", \"rrname\": \"ns1.eurodns.com hostmaster.eurodns.com 2023091306 43200 7200 1209600 86\r\ndribble-disable-active-query\r\nWhen the dribble-disable-active-query header is set, it is used to disable the active query resolver, which is\r\nenabled by default in CIRCL Passive DNS version 2. The value is discarded, as only the presence of the header is\r\nchecked.\r\ndribble-filter-rrtype\r\ndribble-filter-rrtype is used to filter query on the Passive DNS for specific rrtype.\r\nExample query\r\n1curl -H 'dribble-filter-rrtype: SOA' https://www.circl.lu/pdns/query/circl.lu\r\n1{\"rrtype\": \"SOA\", \"rrname\": \"ns1.eurodns.com hostmaster.eurodns.com 2023091306 43200 7200 1209600 86\r\ndribble-paginate-count\r\nIf a maxset error is return, the return set is limited to the maximum number of elements. To get all the values,\r\npagination is required. The dribble-paginate-count set the number of element to return.\r\nExample query\r\n1curl -H 'dribble-paginate-count: 5' -H 'dribble-filter-rrtype: SOA' https://www.circl.lu/pdns/query/\r\n1\r\n2{\"rrtype\": \"SOA\", \"rrname\": \"a.gtld-servers.net nstld.verisign-grs.COM 1696809892 1800 900 604800 86\r\n3{\"rrtype\": \"SOA\", \"rrname\": \"a.gtld-servers.net nstld.verisign-grs.COM 1696811412 1800 900 604800 86\r\n4{\"rrtype\": \"SOA\", \"rrname\": \"a.gtld-servers.net nstld.verisign-grs.COM 1696816592 1800 900 604800 86\r\n5{\"rrtype\": \"SOA\", \"rrname\": \"a.gtld-servers.net nstld.verisign-grs.COM 1696818272 1800 900 604800 86\r\nhttps://www.circl.lu/services/passive-dns/\r\nPage 2 of 5\n\n6{\"rrtype\": \"SOA\", \"rrname\": \"a.gtld-servers.net nstld.verisign-grs.COM 1696820712 1800 900 604800 86\r\n7\r\n### dribble-paginate-cursor\r\nExample query\r\n1curl -H 'dribble-paginate-count: 25' -H 'dribble-filter-rrtype: CNAME' -H 'dribble-paginate-cursor:\r\n 1HTTP/1.1 200 OK\r\n 2date: Sat, 21 Oct 2023 15:42:30 GMT\r\n 3content-type: application/x-ndjson\r\n 4server: dribble\r\n 5x-dribble-errors: []\r\n 6x-dribble-cursor: 7443482523371700254\r\n 7content-length: 4591\r\n 8\r\n 9{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.cthiinspectors.com\", \"count\": \"1\", \"t\r\n10{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.d1bproductions.com\", \"count\": \"2\", \"t\r\n11{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.dailystrange.com\", \"count\": \"1\", \"tim\r\n12{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.davisdanceco.com\", \"count\": \"1\", \"tim\r\n13{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.debarelli.com\", \"count\": \"1\", \"time_f\r\n14{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.depakhuys.com\", \"count\": \"1\", \"time_f\r\n15{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.dmr4u.com\", \"count\": \"1\", \"time_first\r\n16{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.dofbot.com\", \"count\": \"1\", \"time_firs\r\n17{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.dpmonksfinance.com\", \"count\": \"1\", \"t\r\n18{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.dr-buba-best-traditional-healer.com\"\r\n19{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.dukecityriderz.com\", \"count\": \"1\", \"t\r\n20{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.eaglemedicinepsychicreadings.com\", \"c\r\n21{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.eroticescortdirectory.com\", \"count\":\r\n22{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.europeanfutsal.com\", \"count\": \"1\", \"t\r\n23{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.everythingbeautyskin.com\", \"count\":\r\n24{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.ewp-usa.com\", \"count\": \"1\", \"time_fi\r\n25{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.fabricatorindia.com\", \"count\": \"1\",\r\n26{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.feelingsunfolding.com\", \"count\": \"1\"\r\n27{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.fineartfirm.com\", \"count\": \"1\", \"time\r\n28{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.fivestarluxurytravel.com\", \"count\":\r\n29{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.fpm-su.com\", \"count\": \"1\", \"time_firs\r\n30{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.fultontransit.com\", \"count\": \"1\", \"ti\r\n31{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.futuramarge.com\", \"count\": \"1\", \"time\r\n32{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.higherground.ai\", \"count\": \"3\", \"time\r\n33{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"af.parkwayresort.ca\", \"count\": \"2\", \"tim\r\n34\r\nx-dribble-cursor\r\nhttps://www.circl.lu/services/passive-dns/\r\nPage 3 of 5\n\nWhen pagination is enabled, the Passive DNS server returns the cursor for the next page, which can be set using\r\ndribble-paginate-cursor .\r\nError codes\r\nErrors are returned in the x-dribble-errors header in JSON format.\r\nmaxset error type\r\nThe “maxset” error type indicates that the request is limited due to multiple existing records. This suggests the\r\nneed to start paginating to retrieve the complete set of records.\r\nx-dribble-errors: [{\"error\": \"maxset\", \"record\": \"cdn1.wixdns.net\", \"value\": 1000, \"rrtype\": \"CNAME\", \"total_va\r\nExample query and returned headers\r\n1curl -si https://www.circl.lu/pdns/query/cdn1.wixdns.net\r\n 1HTTP/1.1 200 OK\r\n 2date: Sat, 21 Oct 2023 16:03:14 GMT\r\n 3content-type: application/x-ndjson\r\n 4server: dribble\r\n 5x-dribble-errors: [{\"error\": \"maxset\", \"record\": \"cdn1.wixdns.net\", \"value\": 1000, \"rrtype\": \"CNAME\r\n 6content-length: 151885\r\n 7\r\n 8{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"2022photos.bostonkeygala.com\", \"count\":\r\n 9{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"aa.akasakachurch.com\", \"count\": \"3\", \"ti\r\n10{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"aa.bayphoenixstudios.com\", \"count\": \"2\"\r\n11{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"aa.canyonhillsptsa.com\", \"count\": \"1\",\r\n12{\"rrtype\": \"CNAME\", \"rrname\": \"cdn1.wixdns.net\", \"rdata\": \"aa.christinacollectionflooring.com\", \"co\r\nTools\r\nPython Library to access the CIRCL Passive DNS API\r\nWe developed a Python library called PyPDNS to query any Passive DNS - Common Output Format.\r\nRuby Library to access the CIRCL Passive DNS API\r\nPassiveDNS::Client is a rubygem developed by Chris Lee who includes access to different passive DNS services\r\nincluding CIRCL.\r\nScala library to access the CIRCL Passive DNS API\r\nhttps://www.circl.lu/services/passive-dns/\r\nPage 4 of 5\n\nScala library is a Scala implementation developed by Jason Jones.\r\nR Library to access the CIRCL Passive DNS API\r\nR Port of CIRCL.LU’s PyPDNS Python module.\r\nGo Language implementation to access the CIRCL Passive DNS API\r\nPassive DNS client for CIRCL PDNS Database - golang implementation\r\nC implementation to access the CIRCL and Farsight Security Passive DNS API\r\npure C implementation\r\nRevision\r\nVersion 1.0 - TLP:CLEAR - First version - 21st August 2014\r\nVersion 2.0 - TLP:CLEAR - Second version - 2nd November 2023\r\nSource: https://www.circl.lu/services/passive-dns/\r\nhttps://www.circl.lu/services/passive-dns/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.circl.lu/services/passive-dns/"
	],
	"report_names": [
		"passive-dns"
	],
	"threat_actors": [],
	"ts_created_at": 1775439015,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b63ec1d08a66f06ea48aea49ad0f6585e80401e9.pdf",
		"text": "https://archive.orkl.eu/b63ec1d08a66f06ea48aea49ad0f6585e80401e9.txt",
		"img": "https://archive.orkl.eu/b63ec1d08a66f06ea48aea49ad0f6585e80401e9.jpg"
	}
}