Returned data

Each search on the Deteque Passive DNS API returns a structured object like the following:

{
    "error": false,
    "elapsed-ms": 1,
    "hits": 2,
    "records": [
        {
            "id": "76B92A16A9DD74A0BE1B1EFCDA6DD9B7",
            "rrname": "deteque.com",
            "rrclass": "IN",
            "rrtype": "A",
            "rdata": "199.168.88.50",
            "time_first": 1522330452,
            "time_last": 1522330722
        },
        {
            "id": "564274624602A0A87ABF9EA68909C940",
            "rrname": "deteque.com",
            "rrclass": "IN",
            "rrtype": "NS",
            "rdata": "auth1.deteque.com",
            "time_first": 1522330452,
            "time_last": 1522330722
        }
    ],
    "status": 200,
    "verbose": 0
}
  • the error field can be true or false. If the query was successful, it’s always false

  • the elapsed-ms is proportional to the speed of the query. This information is provided to enable a backoff method (and slow down the query rate) if it should grow too much.

  • the hits is an integer value indicating how many entries have been found, if any

  • The records field is an array containing all the entries found.

  • status mirrors the same value returned by the HTTP Status Code of the response.

  • verbose shows if the “verbose” parameter was used in the request.

Each entry representing a DNS record contains the following information:

  • id is a unique identifier for the record.

  • rrname, rrtype, rrclass, rdata represent the single DNS record entry.

  • time_last is the unix timestamp of the last time that this record was seen

  • time_first (by default it is not shown) is the unix timestamp of the first time this record was first seen.