Passive DNS Daily Files Endpoint

The Passive DNS Daily Files Endpoint allows a user to download dumps of passive DNS daily files using HTTPS. These files are in a CSV format and are compressed using gzip. The previous days files are available by 00:30 UTC.

URL

https://daily-01.deteque.com/pdns/

Example Curl Command

curl --user <user>:<password> "https://daily-01.deteque.com/pdns/address_ipv4_<YYYYMMDD>.csv.gz"

Supported Files

Address IPv4

The address IPv4 files contain data of hostname and IPv4 pairs with the epoch timestamp of the query. The filename is in the format of ‘address_ipv4_YYYYMMDD.csv.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

timestamp | ipv4 | hostname

Address IPv6

The address IPv6 files contain data of hostname and IPv6 pairs with the epoch timestamp of the query. The filename is in the format of ‘address_ipv6_YYYYMMDD.csv.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

timestamp | ipv6 | hostname

CNAME

The cname files contain data of canonical hostname and hostname pairs with the epoch timestamp of the query. The filename is in the format of ‘cname_YYYYMMDD.csv.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

timestamp | hostname | canonical hostname

MX

The mx files contain data of domain and mx pairs (priority included) with the epoch timestamp of the query. The filename is in the format of ‘mx_YYYYMMDD.csv.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

timestamp | domain | mx

Nameserver

The nameserver files contain data of domain and nameserver pairs with the epoch timestamp of the query. The filename is in the format of ‘nameserver_YYYYMMDD.csv.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

timestamp | hostname | TXT

TXT

The TXT files contain data of hosts and TXT record pairs with the epoch timestamp of the query in a JSON format. TXT records are in a JSON format because of the difficulty in reading the character sets in a CSV format. The filename is in the format of ‘txt_YYYYMMDD.json.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

{
	"timestamp": 1680876532,
	"qname": "example.com",
	"txt": "v=spf1 -all"
}

SOA

The SOA files contain data of the SOA information of domains. For easier processing these files are in a JSON format. The filename is in the format of ‘soa_YYYYMMDD.json.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

{
	"timestamp": 1680876532,
	"domain": "example.com",
	"ns": "ns.icann.org.",
	"mbox": "noc.dns.icann.org.",
	"serial": 2023013039,
	"refresh": 7200,
	"retry": 3600,
	"expire": 1209600,
	"minttl": 3600
}

New Domains

The new domains files contain data of newly seen domains with the first seen epoch timestamp of the query. This is a derivative of the nameserver/domain feed and contains subdomains. The filename is in the format of ‘new_domains_YYYYMMDD.csv.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

timestamp | domain

NBD

The Nothing But Domains(”NBD”) files contain data of newly seen domains with only domains that match the criteria outlined here https://docs.spamhaus.com/sia/docs/source/02-data-explained/data-anatomy.html#domain-address-records. This feed is a derivative of the New Domains feed and does not contain subdomains. The filename is in the format of ‘nbd_YYYYMMDD.csv.gz’ where ‘YYYYMMDD’ is the format of the date of the file. The contents of the file are in the format below:

timestamp | domain

Example Script

Below is an example Bash script for downloading the files:

#!/bin/sh 
USER=user 
DATADIR=/tmp 
PASSWORD=password 
BASE_URL=https://daily-01.deteque.com/pdns/

/usr/bin/curl --silent --user ${USER}:${PASSWORD} ${BASE_URL}/address_ipv4_${DATE}.csv.gz  -o ${DATADIR}/address_ipv4_${DATE}.csv.gz 
/usr/bin/curl --silent --user ${USER}:${PASSWORD} ${BASE_URL}/address_ipv6_${DATE}.csv.gz  -o ${DATADIR}/address_ipv6_${DATE}.csv.gz 
/usr/bin/curl --silent --user ${USER}:${PASSWORD} ${BASE_URL}/cname_${DATE}.csv.gz  -o ${DATADIR}/cname_${DATE}.csv.gz 
/usr/bin/curl --silent --user ${USER}:${PASSWORD} ${BASE_URL}/mx_${DATE}.csv.gz   -o ${DATADIR}/mx_${DATE}.csv.gz 
/usr/bin/curl --silent --user ${USER}:${PASSWORD} ${BASE_URL}/nameserver_${DATE}.csv.gz  -o ${DATADIR}/nameserver_${DATE}.csv.gz
/usr/bin/curl --silent --user ${USER}:${PASSWORD} ${BASE_URL}/nbd_${DATE}.csv.gz   -o ${DATADIR}/nbd_${DATE}.csv.gz 
/usr/bin/curl --silent --user ${USER}:${PASSWORD} ${BASE_URL}/new_domains_${DATE}.csv.gz   -o ${DATADIR}/new_domains_${DATE}.csv.gz