Wouldn’t it be nice to have an extra layer of network security, without having to spend more resources?

Or, perhaps you think you – or your organization – can contribute to making the web a safer place?

In our annual report, our CEO spoke of the importance of sharing relevant threat data, information and intelligence with the security community. Many in the community are familiar with the projects we either run or support, but this time it’s all about giving back to the user.

Our new DNS cloud service extends our Threat Intelligence database with vast amounts of legitimate and malicious DNS traffic from users all around the world. By passively collecting DNS data from domain name lookups, we can compare similar entries over time to detect discrepancies.

For example, if BBC.com suddenly starts resolving to a different IP address, a security researcher will be able to go back and pinpoint the exact point in time the legitimate website served malicious code using our passive DNS data. By doing this, users of our free passive DNS database can be protected against visiting fluctuating or previously unknown domains, which are often associated with malicious behavior.

In addition, our DNS service includes block lists of known bad domains and IP addresses. If a user is unlucky enough to request a malicious domain, our DNS server redirects them to our sinkhole, and prevents the user from visiting the malicious domain in question. When this happens, our sinkhole presents an informative block page to the end user, giving them the necessary info to contact us in case a legitimate and otherwise safe domain has been blocked.

Companies and smaller organizations can easily redirect their users to our public DNS servers to add an additional layer of security outside their own perimeter. Our secure DNS service includes block lists from our Argus Managed Defence service, and are checked by analysts in our Security Operations Center (SOC) for quality assurance purposes. The DNS server will also check the IP addresses contained in the reply against our IP block lists for added protection.

End user protection features

  • IP and Domain block lists based on the billions of daily events processed by our Argus Managed Defence service.
  • The latest findings from mnemonic’s security analysts and researchers.
  • Redundant cloud based infrastructure, managed 24/7 by mnemonic to ensure high availability and reliability.
  • Sinkholing of known malicious traffic, including C2 bot traffic, malicious web pages, and malicious links, malicious downloads etc.

General security features

  • By comparing DNS requests to the behavior of known Threat Actors (e.g. bad guys), we can track their behavior over time. When a request is blocked and Sinkholed, we map these requests to known actors and compare them to our Threat Intelligence sources. This enables us to continuously improve our services.
  • mnemonic maintains a large passive DNS database, as of February 2015 it contained over 1 billion unique entries and it continually increases. The passive DNS database records IP assignments for domains over time. This is a support tool for security researchers when investigating malicious behavior. Researchers can go back in time and see when changes in DNS records occurred. The passive DNS database is also freely available.


  • Only the destination IP / Domain pair you look up is stored in our passive DNS database.
  • We do not store your IP address unless it is part of an attack, e.g. already in our lists from other confirmed events

Service level

We currently provide two service levels.

An Open level, intended for anyone who would like to increase their overall protection. This is available to anyone, both companies and end users without any additional cost.

An Enterprise level, containing extra security features. The Enterprise level is available upon request.

Service Level - Open

 The Open level includes a best effort service, managed 24/7 by our own team of infrastructure specialists and hosted in cloud infrastructure around the world. The IP and Domain block lists in the Open level service consists of reputation sources categorized as TLP:WHITE [https://www.us-cert.gov/tlp], which means they are freely available to anyone. TLP:WHITE consists of entries from our own malware research, the continuous analysis of billions of events in the Argus Managed Defence service, findings from our Incident Response Team and publicly available sources.

Service Level - Enterprise

The enterprise service level is delivered through a separate, dedicated infrastructure. These DNS servers combine the security level from the Open service with additional features. For our enterprise level customers we are able to customize which reputation sources they get access to based on our knowledge of the actual customer. During an attack on your company, mnemonic will be able to filter out malicious traffic on-the-fly based on feedback from the mnemonic Incident Response Team (mIRT), your own IRT team or relevant authorities. This includes traffic from block lists not freely available to the public (e.g. data and information related to Advanced Persistent Threats, threats pertinent to your company alone or other limited campaigns). If you are already an Argus Managed Defence customer, we are also able to filter out DNS requests based on feedback from analyzing your traffic directly.