Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Attack Surface Discovery API
Attack Surface Discovery API

Uncover entire attack surfaces with this API to embed asset discovery, vulnerability scanning, and technology metadata into your platform. Now in early access.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

WhoisXML API Domain Intelligence Advisor (via ChatGPT)
WhoisXML API Domain Intelligence Advisor (via ChatGPT)

A custom GPT for WHOIS, DNS, IP, and threat intelligence research. Connects ChatGPT directly to WhoisXML API to enable fast, conversational investigations and domain insights.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Read other articles Download PDF

DNS Intelligence: What It Means and Its Role in Cybersecurity

Almost every activity on the Internet involves a DNS query, making DNS a rich source of threat information. There are many ways to use it — from filtering suspicious DNS requests for malware prevention to mapping threat actor infrastructure. In this article, we explore the different kinds of DNS intelligence, how they work, and how they are used in modern cybersecurity.

What Is DNS Intelligence?

DNS intelligence is an umbrella term used in the threat intelligence industry that refers to actionable threat information gathered from the DNS after DNS data has been processed and analyzed. 

Since the basic function of the DNS is to translate domain names into IP addresses, it is a foundational layer of communication. One can argue that it sits at layer 7 — the application layer — of the OSI model, which is second from the top, and that there is a lot happening underneath it. But in fact, even commands such as ping google.com which rely on ICMP packets (layer 3) still first need to resolve a DNS query translating the domain name to an IP address.

This means that almost everything and everyone using the Internet goes through the DNS, whether their intentions are legitimate or malicious. For this reason, security professionals can gain network visibility and detect malicious activities through DNS monitoring and analyzing active and historical DNS queries. 

Types of DNS Intelligence and How They Work

DNS threat intelligence can be gathered from various sources, which fall into two main categories: on-premises and global. 

On-Premises DNS Intelligence

On-premises DNS data refers to the DNS query logs collected from an organization's internal network. Every time a device on the network makes a DNS request to resolve a domain name, that activity is logged by the organization’s DNS resolver or next-gen firewall (NGFW). 

On-premises data is useful for network security, particularly for detecting anomalies in network behavior, such as a device suddenly querying a malicious domain or a large number of unusual queries originating from a single host. This protective DNS approach provides deep insight into what is happening inside the network. Here’s how it works:

  • Data collection: On-premises DNS filters (whether they are a part of the NGFW or standalone tools) receive DNS queries from the network or resolver logs. Based on this data, a baseline for normal DNS traffic is established using machine learning (ML). 
  • Threat intelligence correlation: DNS filters are integrated with threat intelligence feeds so that when a user’s DNS query is received, the tool instantly cross-references the requested domain with blocklists and databases of known malicious domains, IPs, and C2 servers.
  • Behavioral analysis: Even when a user’s query doesn’t involve any malicious domain, security tools also check for deviations from the DNS traffic baseline established during data collection. For example, they can spot a device sending a large number of unusual queries from a single host (which could indicate a compromised machine), or data exfiltration via DNS tunneling.

Global DNS Intelligence

Global DNS data, also known as passive DNS, is collected by security vendors such as WhoisXML API from a vast network of global sensors and DNS resolvers. This collection creates a massive database of historical DNS queries and responses

The main difference between on-premises and global DNS data is that the former is limited to a single organization or even a single resolver, while the latter can span the entire Internet. 

That allows for very different use cases. For example, passive DNS provides a global view of attacker infrastructure. It helps security professionals correlate indicators of compromise (IoCs) and map attacker infrastructures, linking together domains, IP addresses, and name servers to uncover entire networks of malicious behavior, not just a single indicator of compromise. Check out our Threat Reports section to see how we map attacker infrastructures using passive DNS data. This global perspective adds useful threat context that may not be available from on-premises data alone.

For example, if a single malicious domain is found, passive DNS data can be used to find other domains that have historically resolved to the same IP address or used the same name servers, thereby uncovering the attacker's broader infrastructure. 

Since passive DNS doesn’t rely on a single resolver controlled by an organization, the principles behind it are different from those we described above for on-premises DNS intelligence. We can still define three main stages for it:

  • Data collection: Data aggregators like WhoisXML API operate a large network of sensors that passively monitor DNS traffic and record:
    • The source IP address of the device making the query.
    • The domain name being queried (e.g., malicious-site.com).
    • The IP address or other data returned in the response.
    • The time and date of the request.
    • The type of DNS query (e.g., A, AAAA, MX, TXT).
  • Passive monitoring: These sensors are configured to listen to DNS traffic. When a user requests to access a website (e.g., google.com), their computer sends a DNS query to a recursive resolver. When the resolver gets the answer (e.g., google.com resolves to 142.250.72.78), the sensor records this resolution as a data point.
  • Data archiving: The collected data — which includes the domain name, the resolved IP address, the DNS record type, and a timestamp — is sent to a massive, searchable database.

How To Access Global DNS Intelligence

With over 6 billion Internet users worldwide (according to Statista) and over 800 million domains (according to Domain Name Stat), you can imagine that a database of historical DNS queries should be very large. And indeed, it is. More often, you don’t need the entire database, but rather specific datapoints, so organizations that maintain those databases came up with different ways of accessing them depending on your needs.

DNS Lookup

DNS lookups, also known as forward lookups, are the most common type of query and usually the starting point for analysis. Security tools with passive DNS intelligence perform DNS lookups to determine the IP address to which a domain resolves (by looking at the A or AAAA record of the domain). 

It’s worth noting that a DNS lookup can return many types of resource records, such as mail exchanger (MX) record, name server (NS) record, canonical name (CNAME) record, text (TXT) record, and dozens of other DNS record types. Here’s an example of a DNS lookup for example[.]come using our MCP server:

DNS lookup results for example.com
Forward DNS lookup example (using WhoisXML API’s MCP server and Claude)

Reverse DNS and Reverse IP Lookups

Reverse DNS lookup is the opposite process of DNS lookup — you take a DNS record and search for domains that share that record. Some reverse DNS lookup tools let you search by different record types, but others are dedicated to just one or two types of DNS record. For example, our Reverse IP API is used to pivot from a known IP address to find all the associated domain names. This can lead analysts to other malicious sites or subdomains hosted on the same IP.

Reverse DNS lookup results
Reverse IP lookup example (using WhoisXML API’s MCP server and Claude)

DNS History Lookup

There is also an option to retrieve the historical DNS records of a domain name or IP address through DNS history lookup (WhoisXML API offers the DNS Chronicle API for that). This process provides the historical context needed to connect the dots since a domain's past DNS records can help reveal the lifecycle of a threat and map out the attacker's infrastructure over time. 

Take, for example, the DNS history of snipersol[.]com, one of the IoCs in the GreedyBear attack which recorded a total of 178 IP resolutions. Some of these resolutions occurred over a short period of time. 

DNS domain to ip resolution
Historical DNS lookup example (using WhoisXML API’s MCP server and Claude)

Passive DNS also lets you see if the domain was previously hosted on a different, possibly malicious, IP address, or if it has been associated with other suspicious domains.

How Is Passive DNS Intelligence Used?

In the previous sections, we learned how on-premises DNS intelligence, correlated with other threat intelligence sources, can be used as a filter, enabling organizations block access to a wide range of known malicious domains or IPs associated with phishing attacks, malware attacks, and botnets.

Here, we’ll cover the uses of passive DNS intelligence, in combination with on-premise DNS intelligence, domain intelligence, and other Internet infrastructure data sources. 

DNS intelligence use cases diagram

Attack Surface Management (ASM)

ASM platforms continuously scan for and map all assets, ingesting data from various sources (including passive DNS) to build a comprehensive asset inventory. When the platform’s DNS monitoring tools identify a new, Internet-facing domain (e.g., project-xyz[.]com) that wasn’t previously in the organization’s asset inventory but is resolving to an IP address that’s part of the corporate IP range, this should be automatically enriched with:

  • DNS history: The tool's historical DNS data may reveal, for instance, that the domain has occasionally resolved to an IP address outside of the corporate IP range, such as an IP address associated with a cloud provider like AWS.
  • WHOIS records: A WHOIS lookup determines the domain's owner (if the registrant organization isn’t the same as for your other domains, it may be worth an investigation). A reverse WHOIS lookup based on that information can help discover other domains belonging to the same registrant organization.
  • SSL certificate analysis: An automated SSL certificate check shows if the certificate is from a trusted Certificate Authority (CA) or self-signed. If, for example, the SSL certificate of project-xyz[.]com is self-signed and is set to expire in a few weeks, this should raise a red flag since the domain could be a forgotten asset that points toward a test environment (one that can later on become an attack vector). Also, using SSL certificate transparency logs can help further enrich the attack surface map by discovering more domains or subdomains where the same certificate is used.

Brand Protection

One of the capabilities of brand protection tools is spotting typosquatting domains, and this is also done with the help of DNS intelligence, through methods such as permutation and behavioral analysis. Integrating WHOIS data can add more context, since the security tool can automatically perform a WHOIS lookup on the detected typosquatting domain. As a result, companies can identify and take down domains that are trying to impersonate their brand since these could be used in phishing attacks, counterfeiting, and other malicious behaviors.

Example:

To illustrate this, we used our MCP Server to search for domains that contain the string "chatgpt" registered from August 1, 2025, that are not currently or historically registered by OpenAI (the registrant organization of chatgpt[.]com).

Using DNS intelligence for brand protection: looking up all ChatGPT domains

Brand protection efforts can be further enhanced by analyzing the DNS history of these typosquatting domains (constant IP change is a common tactic used by malicious actors to evade takedowns) and verifying the actual web content of the domains by integrating the Website Screenshot API.

Threat Investigations

Threat investigations leverage both on-premise and passive DNS intelligence. When on-premises DNS logs reveal a suspicious query — such as a device communicating with a known command-and-control (C2) server — security analysts can use passive DNS data, WHOIS, and IP geolocation to pivot from this IoC and build a threat profile. 

The gathered data also allows investigators to uncover the broader threat actor infrastructure, including other domains, IP addresses, and name servers associated with the same attack campaign.

This is also the strategy our research team uses in our threat reports, such as our recent investigation into three Lazarus RATs, which started with 19 IoCs and ended with the discovery of hundreds of connected domains along with potential victim IP addresses. 

Third-Party Risk Management (TPRM)

Passive DNS data can reveal if a supplier’s domain is hosted on a shared or dedicated IP address and if it has a history of co-locating with malicious digital assets. TPRM platforms use domain intelligence and SSL certificate data to check for suspicious changes in websites’ configurations or to see if newly registered subdomains contain brand names of other companies, indicating a potential supply chain risk.

Fraud Prevention

Passive DNS, IP, and domain intelligence give fraud detection systems a rich, Internet-wide context. On-premises DNS data can flag unusual internal user behavior, like an employee attempting to access a blacklisted domain. Combining this with passive DNS enables the system to verify if the IP address has a history of hosting malicious domains or is part of a botnet. 

When an anomaly is detected, such as a login attempt from a new location, the system can use IP geolocation and passive DNS to assess the risk of the originating IP address before triggering an additional authentication step or blocking the attempt altogether.

Early Threat Detection

Detecting threats requires more than just one source of intelligence. DNS tunneling, for example, can be detected by combining:

  • DNS Intelligence: Security platforms check the DNS queries and responses for unusual patterns, such as long query names, since normal DNS queries have short, human-readable names, while tunneling involves encoding large amounts of data into long, seemingly random strings of characters in a subdomain.
  • Newly registered domains (NRD) data feed: Attackers frequently register new domains for their command-and-control servers, so a sudden spike in queries to a domain that is only a few days old is a major red flag. Threat detection systems can be configured to flag queries to NRDs that are not part of the organization’s normal business operations.

Early threat detection mostly relies on threat hunting that involves a lot of different techniques, but DNS intel is an important part of it.

Conclusion

DNS intelligence is a core data source in cybersecurity because nearly all Internet activity depends on DNS. 

On-premises DNS intelligence gives organizations visibility into internal network behavior and helps detect anomalies and policy violations in real time. 

Global (passive) DNS intelligence adds historical and Internet-wide context that supports attack surface management, brand protection, threat investigations, third-party risk management, fraud prevention, and early threat detection by showing how domains and IPs are related and how they change over time.

Used together and enriched with domain, WHOIS, SSL, and IP intelligence, these data sources allow security teams to correlate signals, uncover hidden relationships, and make faster, more informed decisions across nearly every cybersecurity workflow.

Check out WhoisXML API’s passive DNS intelligence product line.

Read other articles Download PDF
Try our WhoisXML API for free
Get started