Passive DNS version 2.0
CIRCL Passive DNS is a database that stores historical DNS records from various resources, including malware analysis and partners. The DNS historical data is indexed, making it searchable for incident handlers, security analysts, or researchers.
In November 2023, CIRCL released version 2.0 of its Passive DNS service. The new version is backward-compatible with the previous 1.0 version. The output format remains Passive DNS - Common Output Format, and the query interface is similar. New headers were introduced to support some new functionalities, including filtering and pagination. If no headers are set, the Passive DNS API falls back to the previous 1.0 version’s behavior.
Access to CIRCL Passive DNS
Access to CIRCL Passive DNS is restricted to trusted partners both in Luxembourg and abroad. If you are interested in gaining access, please contact us and provide details about your affiliation and the intended use of the Passive DNS data.
API documentation
How to Use the Service
CIRCL Passive DNS is accessible via a REST API, and the output format is in JSON following the Passive DNS - Common Output Format.
The REST API is accessible via the following URL:
https://www.circl.lu/pdns/query/<queryvalue>
Query values can be any records such as IP addresses, hostnames, or domain names (please note that CIDR block queries are not supported).
For example:
https://www.circl.lu/pdns/query/circl.lu
1{"rrtype": "A", "rrname": "185.194.93.14", "rdata": "circl.lu", "count": "19", "time_first": "1696798385", "time_last": "1697890824"} 2{"rrtype": "AAAA", "rrname": "2a00:5980:93::14", "rdata": "circl.lu", "count": "18", "time_first": "1696798385", "time_last": "1697890824"} 3{"rrtype": "MX", "rrname": "10 cppy.circl.lu", "rdata": "circl.lu", "count": "149", "time_first": "1696786636", "time_last": "1697897232"} 4{"rrtype": "NS", "rrname": "ns1.eurodns.com", "rdata": "circl.lu", "count": "5", "time_first": "1696798385", "time_last": "1697701116"} 5{"rrtype": "NS", "rrname": "ns2.eurodns.com", "rdata": "circl.lu", "count": "5", "time_first": "1696798385", "time_last": "1697701116"} 6{"rrtype": "NS", "rrname": "ns3.eurodns.com", "rdata": "circl.lu", "count": "5", "time_first": "1696798385", "time_last": "1697701116"} 7{"rrtype": "NS", "rrname": "ns4.eurodns.com", "rdata": "circl.lu", "count": "5", "time_first": "1696798385", "time_last": "1697701116"} 8{"rrtype": "SOA", "rrname": "ns1.eurodns.com hostmaster.eurodns.com 2023091306 43200 7200 1209600 86400", "rdata": "circl.lu", "count": "260", "time_first": "1696780845", "time_last": "1697183586"}
Header parameters
dribble-disable-active-query
When the dribble-disable-active-query
header is set, it is used to disable the active query resolver, which is enabled by default in CIRCL Passive DNS version 2. The value is discarded, as only the presence of the header is checked.
dribble-filter-rrtype
dribble-filter-rrtype
is used to filter query on the Passive DNS for specific rrtype.
Example query
1curl -H 'dribble-filter-rrtype: SOA' https://www.circl.lu/pdns/query/circl.lu
1{"rrtype": "SOA", "rrname": "ns1.eurodns.com hostmaster.eurodns.com 2023091306 43200 7200 1209600 86400", "rdata": "circl.lu", "count": "260", "time_first": "1696780845", "time_last": "1697183586"}
dribble-paginate-count
If a maxset error is return, the return set is limited to the maximum number of elements. To get all the values, pagination is required. The dribble-paginate-count
set the number of element to return.
Example query
1curl -H 'dribble-paginate-count: 5' -H 'dribble-filter-rrtype: SOA' https://www.circl.lu/pdns/query/com
1 2{"rrtype": "SOA", "rrname": "a.gtld-servers.net nstld.verisign-grs.COM 1696809892 1800 900 604800 86400", "rdata": "com", "count": "1", "time_first": "1696809905", "time_last": "1696809905"} 3{"rrtype": "SOA", "rrname": "a.gtld-servers.net nstld.verisign-grs.COM 1696811412 1800 900 604800 86400", "rdata": "com", "count": "2", "time_first": "1696811441", "time_last": "1696811441"} 4{"rrtype": "SOA", "rrname": "a.gtld-servers.net nstld.verisign-grs.COM 1696816592 1800 900 604800 86400", "rdata": "com", "count": "1", "time_first": "1696816623", "time_last": "1696816623"} 5{"rrtype": "SOA", "rrname": "a.gtld-servers.net nstld.verisign-grs.COM 1696818272 1800 900 604800 86400", "rdata": "com", "count": "1", "time_first": "1696818305", "time_last": "1696818305"} 6{"rrtype": "SOA", "rrname": "a.gtld-servers.net nstld.verisign-grs.COM 1696820712 1800 900 604800 86400", "rdata": "com", "count": "1", "time_first": "1696820727", "time_last": "1696820727"} 7
### dribble-paginate-cursor
Example query
1curl -H 'dribble-paginate-count: 25' -H 'dribble-filter-rrtype: CNAME' -H 'dribble-paginate-cursor: 7346046680497455128' -si https://www.circl.lu/pdns/query/cdn1.wixdns.net
1HTTP/1.1 200 OK 2date: Sat, 21 Oct 2023 15:42:30 GMT 3content-type: application/x-ndjson 4server: dribble 5x-dribble-errors: [] 6x-dribble-cursor: 7443482523371700254 7content-length: 4591 8 9{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.cthiinspectors.com", "count": "1", "time_first": "1697676986", "time_last": "1697676986"} 10{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.d1bproductions.com", "count": "2", "time_first": "1697688190", "time_last": "1697890368"} 11{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.dailystrange.com", "count": "1", "time_first": "1697691377", "time_last": "1697691377"} 12{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.davisdanceco.com", "count": "1", "time_first": "1697703062", "time_last": "1697703062"} 13{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.debarelli.com", "count": "1", "time_first": "1697708566", "time_last": "1697708566"} 14{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.depakhuys.com", "count": "1", "time_first": "1697717244", "time_last": "1697717244"} 15{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.dmr4u.com", "count": "1", "time_first": "1697743332", "time_last": "1697743332"} 16{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.dofbot.com", "count": "1", "time_first": "1697745712", "time_last": "1697745712"} 17{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.dpmonksfinance.com", "count": "1", "time_first": "1697754894", "time_last": "1697754894"} 18{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.dr-buba-best-traditional-healer.com", "count": "1", "time_first": "1697755327", "time_last": "1697755327"} 19{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.dukecityriderz.com", "count": "1", "time_first": "1697765838", "time_last": "1697765838"} 20{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.eaglemedicinepsychicreadings.com", "count": "1", "time_first": "1697774826", "time_last": "1697774826"} 21{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.eroticescortdirectory.com", "count": "1", "time_first": "1697814898", "time_last": "1697814898"} 22{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.europeanfutsal.com", "count": "1", "time_first": "1697823863", "time_last": "1697823863"} 23{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.everythingbeautyskin.com", "count": "1", "time_first": "1697826876", "time_last": "1697826876"} 24{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.ewp-usa.com", "count": "1", "time_first": "1697828433", "time_last": "1697828433"} 25{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.fabricatorindia.com", "count": "1", "time_first": "1697835687", "time_last": "1697835687"} 26{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.feelingsunfolding.com", "count": "1", "time_first": "1697847691", "time_last": "1697847691"} 27{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.fineartfirm.com", "count": "1", "time_first": "1697857256", "time_last": "1697857256"} 28{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.fivestarluxurytravel.com", "count": "1", "time_first": "1697862059", "time_last": "1697862059"} 29{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.fpm-su.com", "count": "1", "time_first": "1697879696", "time_last": "1697879696"} 30{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.fultontransit.com", "count": "1", "time_first": "1697893936", "time_last": "1697893936"} 31{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.futuramarge.com", "count": "1", "time_first": "1697897081", "time_last": "1697897081"} 32{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.higherground.ai", "count": "3", "time_first": "1696848939", "time_last": "1697319987"} 33{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "af.parkwayresort.ca", "count": "2", "time_first": "1697354479", "time_last": "1697484962"} 34
Returned headers
x-dribble-cursor
When pagination is enabled, the Passive DNS server returns the cursor for the next page, which can be set using dribble-paginate-cursor
.
Error codes
Errors are returned in the x-dribble-errors
header in JSON format.
maxset error type
The “maxset” error type indicates that the request is limited due to multiple existing records. This suggests the need to start paginating to retrieve the complete set of records.
x-dribble-errors: [{"error": "maxset", "record": "cdn1.wixdns.net", "value": 1000, "rrtype": "CNAME", "total_value": 532915}]
Example query and returned headers
1curl -si https://www.circl.lu/pdns/query/cdn1.wixdns.net
1HTTP/1.1 200 OK 2date: Sat, 21 Oct 2023 16:03:14 GMT 3content-type: application/x-ndjson 4server: dribble 5x-dribble-errors: [{"error": "maxset", "record": "cdn1.wixdns.net", "value": 1000, "rrtype": "CNAME", "total_value": 534506}] 6content-length: 151885 7 8{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "2022photos.bostonkeygala.com", "count": "1", "time_first": "1697523392", "time_last": "1697523392"} 9{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "aa.akasakachurch.com", "count": "3", "time_first": "1697349965", "time_last": "1697895987"} 10{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "aa.bayphoenixstudios.com", "count": "2", "time_first": "1697458973", "time_last": "1697895905"} 11{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "aa.canyonhillsptsa.com", "count": "1", "time_first": "1697563137", "time_last": "1697563137"} 12{"rrtype": "CNAME", "rrname": "cdn1.wixdns.net", "rdata": "aa.christinacollectionflooring.com", "count": "1", "time_first": "1697612592", "time_last": "1697612
Tools
Python Library to access the CIRCL Passive DNS API
We developed a Python library called PyPDNS to query any Passive DNS - Common Output Format.
Ruby Library to access the CIRCL Passive DNS API
PassiveDNS::Client is a rubygem developed by Chris Lee who includes access to different passive DNS services including CIRCL.
Scala library to access the CIRCL Passive DNS API
Scala library is a Scala implementation developed by Jason Jones.
R Library to access the CIRCL Passive DNS API
R Port of CIRCL.LU’s PyPDNS Python module.
Go Language implementation to access the CIRCL Passive DNS API
Passive DNS client for CIRCL PDNS Database - golang implementation
C implementation to access the CIRCL and Farsight Security Passive DNS API
Revision
- Version 1.0 - TLP:CLEAR - First version - 21st August 2014
- Version 2.0 - TLP:CLEAR - Second version - 2nd November 2023