Introduction
A subdomain deleted from your DNS zone eighteen months ago does not disappear from the internet's memory. If a recursive resolver anywhere in the world observed that subdomain resolving to an IP address, a passive DNS database may have logged the query and response pair permanently. That historical record exists independently of your current DNS zone, and it is one of the most reliable ways to find subdomains that active enumeration alone will miss.
Three tools dominate passive DNS lookups for security work, and they are not interchangeable. SecurityTrails is the most widely integrated into open-source recon tooling. Farsight DNSDB, now part of DomainTools, has the longest continuous sensor history and is the dataset threat intelligence teams pay enterprise pricing for. VirusTotal has passive DNS data as a secondary feature of a malware analysis platform, with meaningfully different depth and intent than the other two.
This comparison covers what each tool actually collects, how the data differs in depth and freshness, the API access model for each, and where an EASM platform fits relative to all three, since none of them are organizational monitoring tools on their own.
TL;DR: quick comparison table
The fast answer for teams that need to pick a source before reading the full breakdown.
| Capability | SecurityTrails | Farsight DNSDB | VirusTotal |
|---|---|---|---|
| Primary purpose | Passive DNS and domain intel | Passive DNS (dedicated) | Malware/URL analysis |
| Sensor network history | Since 2015 | Since 2010 | Aggregated, undisclosed depth |
| Historical data depth | Deep | Deepest available commercially | Shallow to moderate |
| Query types | Subdomain, history, WHOIS | rrname and rdata flexible search | Domain relations tab |
| Free tier | 50 queries/month | None | Yes, daily limits |
| Typical pricing | $50-500+/month | Enterprise, contact sales | Free to enterprise tiers |
| Used as backend by recon tools | Yes (subfinder, amass) | Yes (amass, enterprise tools) | Limited |
| Best for | General passive DNS at accessible pricing | Deepest historical research, threat intel | Quick cross-reference with malware data |
What each tool actually does
Passive DNS works by deploying sensors at recursive resolvers that log every query and response pair they observe, then aggregating those logs into a searchable historical database. The three tools below differ in sensor network age, query depth, and what other data they bundle alongside the passive DNS records.
- SecurityTrails — SecurityTrails built a dedicated passive DNS and domain intelligence platform starting in 2015, combining passive DNS history with WHOIS history and SSL certificate history into a single queryable API. It is the most commonly integrated passive DNS source in open-source security tooling: subfinder, amass, and most subdomain enumeration frameworks support SecurityTrails as a configured source. The API is well documented, the free tier is usable for individual research, and paid tiers scale to organizational use without enterprise sales friction.
- Farsight DNSDB (DomainTools) — Farsight Security built DNSDB starting in 2010, founded by Paul Vixie, who co-authored several of the foundational DNS RFCs including contributions to RFC 1034 and RFC 1035 successors and is broadly credited as one of the architects of modern DNS infrastructure. DNSDB's sensor network has the longest continuous operating history of any commercial passive DNS source, which translates directly into the deepest historical record available. Farsight was acquired by DomainTools in 2021, and DNSDB now operates under the DomainTools umbrella with the same dataset depth. Pricing is enterprise-only with no public tier or self-serve signup, reflecting its positioning toward threat intelligence teams, government, and large security operations centers that need the most complete historical record available.
- VirusTotal — VirusTotal, owned by Google's Chronicle (now part of Google Cloud Security), is primarily a malware and URL analysis platform. Passive DNS data appears as a secondary feature: the Relations tab on a domain's VirusTotal page shows historical resolution data alongside malware detections, related files, and reputation signals for that domain. The passive DNS depth is shallower than dedicated providers because it is not VirusTotal's core data product. Its value is in cross-referencing: a passive DNS hit that also shows malware associations on the same domain is a different kind of signal than passive DNS alone.
Head-to-head: data quality and access
The meaningful differences are in how each tool structures queries and how far back the data goes.
-
Query flexibility: rrname vs rdata — DNSDB's distinguishing technical feature is its rrname and rdata query model. An rrname query asks 'what records exist for this name' (the standard forward lookup). An rdata query asks the reverse: 'what names point to this IP address or this CNAME target,' which is significantly harder to answer without a purpose-built reverse index. This rdata capability is what makes DNSDB valuable for infrastructure pivoting: given a malicious IP, find every domain that has ever pointed to it. SecurityTrails offers similar reverse lookup capability through its API but with a less granular query syntax. VirusTotal's relations data supports basic reverse lookups through the domain report but without the flexible query language the other two provide.
; DNSDB rdata query example (find all names that resolved to an IP) curl -H "X-API-Key: YOUR_KEY" \ "https://api.dnsdb.info/dnsdb/v2/lookup/rdata/ip/203.0.113.45" ; SecurityTrails equivalent (IP search) curl -s "https://api.securitytrails.com/v1/search/list" \ -H "APIKEY: YOUR_KEY" \ -H "Content-Type: application/json" \ -d '{"filter":{"ipv4":"203.0.113.45"}}' - Historical depth — DNSDB's sensor network has been collecting since 2010, giving it the longest continuous historical record among the three. SecurityTrails' collection began in 2015, covering roughly a decade of history at this point but missing anything that resolved and disappeared before their sensors started recording. VirusTotal's passive DNS depth is not publicly documented in detail and is generally observed to be shallower and less consistent than either dedicated provider, reflecting its status as a secondary feature.
- Freshness and update frequency — All three update their passive DNS index continuously as their sensors observe new resolutions, typically reflected in query results within hours to a day. None of the three are real-time in the way a live DNS query is real-time. They reflect what their sensors have observed, not the current state of a DNS zone. A subdomain query against passive DNS can return a record that is no longer accurate; resolving the result against live DNS afterward is necessary to confirm current status.
How recon tools use these as backend sources
Most subdomain enumeration tools do not implement their own passive DNS collection. They query existing passive DNS providers through API integrations and aggregate the results. Understanding which sources a tool queries explains why results vary between tools.
-
subfinder source configuration — subfinder supports both SecurityTrails and other passive sources through its provider config file. DNSDB requires an enterprise API key and is less commonly configured in open-source tooling due to its pricing model, but supports it if you have access.
; subfinder provider-config.yaml securitytrails: - YOUR_SECURITYTRAILS_KEY ; Run subfinder with SecurityTrails as an active source subfinder -d example.com -sources securitytrails -silent -
amass source configuration — amass supports a broader range of passive sources including both SecurityTrails and DNSDB when API keys are available, alongside its own active enumeration capability.
; amass config.yaml (datasources section) datasources: - name: SecurityTrails apikey: YOUR_KEY - name: DNSDB apikey: YOUR_DNSDB_KEY amass enum -config config.yaml -d example.com -passive
Where an EASM platform fits
None of the three tools above are organizational monitoring platforms. They are queryable databases. You ask a question, you get an answer reflecting what their sensors have observed. None of them discover your full attack surface automatically, scan discovered assets for misconfigurations, or alert you when something changes.
Externalsight uses passive DNS as one input among several in its discovery pipeline, combined with certificate transparency log enumeration, ASN and BGP data, reverse WHOIS, and active DNS brute-force. The platform does not require you to choose a passive DNS provider, manage API keys across multiple services, or write query logic to merge results. You provide a root domain, and the discovery pipeline runs continuously, with passive DNS contributing the historical subdomains that current DNS records and CT logs would miss.
The distinction matters for buying decisions. If your job is threat intelligence research, infrastructure pivoting, or investigating a specific indicator, a dedicated passive DNS tool with flexible query syntax is the right purchase. If your job is monitoring your own organization's attack surface continuously, passive DNS alone (from any single provider) leaves gaps that an EASM platform's multi-source discovery is built to close.
Who should use which tool
The right choice depends on the job, not which tool has the most data overall.
| If you are... | Use... | Because... |
|---|---|---|
| Running subdomain enumeration for your own domain on a budget | SecurityTrails | Accessible pricing, well-documented API, supported natively by subfinder and amass. |
| A threat intel analyst pivoting from a malicious IP to related infrastructure | Farsight DNSDB | The rdata reverse query model and longest sensor history make infrastructure pivoting more reliable. |
| Doing a quick cross-reference check on a domain alongside malware reputation | VirusTotal | Free tier, integrated with reputation and malware data in the same view. |
| Monitoring your own organization's full attack surface continuously | An EASM platform like Externalsight | No single passive DNS source alone provides continuous discovery, scanning, and alerting. You need multi-source discovery plus monitoring, not a single query tool. |
| A large enterprise SOC with budget for the deepest dataset | Farsight DNSDB (via DomainTools) | The enterprise pricing reflects access to the deepest available historical record, which matters when investigation completeness is the priority. |
Pricing comparison
Pricing structures reflect each tool's target audience.
- SecurityTrails pricing — Free tier: 50 queries per month, sufficient for occasional individual research. Paid tiers start around $50/month for low-volume use and scale to several hundred dollars per month for organizational API access with higher query limits. Pricing is published and self-serve signup is available without a sales call.
- Farsight DNSDB pricing — No published pricing and no free tier. Access requires contacting DomainTools sales directly. Pricing reflects enterprise and government customer positioning, generally understood in the industry to start in the low thousands of dollars annually and scale significantly higher for high-volume API access.
- VirusTotal pricing — Free tier available with daily query limits, sufficient for ad-hoc lookups. Paid tiers (VirusTotal Enterprise) add higher rate limits and additional API access, priced for organizational threat intelligence use rather than passive DNS specifically. Most users access passive DNS data through the free tier's web interface or limited API quota.
Final verdict
For most security teams running subdomain enumeration against their own infrastructure, SecurityTrails is the practical starting point: accessible pricing, native support in open-source tooling, and sufficient historical depth for the majority of organizational use cases. For threat intelligence work where infrastructure pivoting and the deepest possible historical record matter, Farsight DNSDB through DomainTools is the dataset that justifies its enterprise pricing. VirusTotal is best treated as a supplementary cross-reference tool rather than a primary passive DNS source, valuable specifically because it correlates passive DNS with malware and reputation data in one place.
None of the three replace continuous organizational monitoring. A passive DNS query, however good the data, is a point-in-time answer to a question you have to know to ask. If the goal is knowing what your own attack surface looks like and being alerted when it changes, an EASM platform that combines passive DNS with CT logs, brute-force, and continuous scanning covers ground that passive DNS alone does not.
Frequently asked questions
- Is passive DNS data legal to query and use?
- Yes. Passive DNS databases aggregate DNS queries and responses that were already transmitted over the public internet and observed by sensors at willing participating resolvers. Querying a passive DNS provider's index of this already-public information is standard practice in security research, threat intelligence, and incident response. The legal consideration that does apply is around what you do with the data: using it to investigate domains you have a legitimate reason to investigate is standard, but the tools themselves involve no unauthorized access to any system.
- Should I use more than one passive DNS source?
- For thorough enumeration, yes. Each provider's sensor network has different coverage and different historical depth, so combining results from SecurityTrails and a second source (DNSDB if budget allows, or supplementing with VirusTotal for cross-reference) consistently surfaces names that a single source misses. Most professional recon pipelines using subfinder or amass already query multiple passive sources simultaneously and merge the results, which is the practical version of this recommendation.
- Why does passive DNS sometimes return subdomains that no longer resolve?
- Passive DNS reflects historical observation, not current state. A subdomain that resolved a year ago and was logged by a sensor remains in the database indefinitely even after the DNS record is deleted. This is a feature, not a bug, for security research: those historical subdomains are often the ones worth investigating because they may still have a live backend service even without an active DNS record, or because the deprovisioned resource creates a subdomain takeover opportunity. Always resolve passive DNS results against live DNS afterward to determine current status.
- How is passive DNS different from a CT log search?
- CT logs only contain subdomains that were issued a publicly trusted TLS certificate. Passive DNS contains any subdomain that a sensor observed being queried, regardless of whether it ever had a certificate. A subdomain running only on plain HTTP, or used for an internal tool that was briefly exposed, would appear in passive DNS but never in CT logs. The two sources are complementary, not redundant, which is why thorough enumeration pipelines query both.
Get multi-source discovery without managing API keys
Externalsight's discovery pipeline combines passive DNS, certificate transparency logs, ASN data, and active brute-force into a single continuous process. You provide a root domain; the platform finds the rest and alerts you when new assets appear, without requiring you to manage multiple API keys or merge results manually.