Most network security devices are built around a single idea: block the bad thing. A firewall filters packets. An intrusion detection system (IDS) raises alerts on suspicious patterns. An intrusion prevention system (IPS) goes further and drops them. All three sit in the path of traffic and act on it. A passive network monitor does something different. It watches, and it does nothing else.
That distinction — observation without intervention — sounds subtle until the consequences are considered. An inline device that can block traffic can also break it. A misconfigured rule takes the network down. A false positive severs a connection that was legitimate. A passive monitor cannot break anything because it is not in the path. It reads the traffic that is already flowing and reports on it. The network keeps working regardless of what the monitor says.
Passive vs active: what the words mean
An active network device sits between devices and the internet — or between segments of a network — and makes decisions about every packet that passes through. Firewalls, IDS, IPS, and most security gateways are active. They inspect, they filter, they drop, they redirect. They have to be inline, because the whole point is to intervene.
A passive network device is not inline. It receives a copy of the traffic, or it observes traffic at a layer that doesn't require interception — DNS queries being the clearest example. It reads, it records, it surfaces. It does not modify a single packet. It does not block, it does not allow, it does not prioritise. Network observability is its entire job.
The trade-off is deliberate. An active device gives you control. A passive device gives you knowledge. They answer different questions. The firewall answers "should this be allowed?". The passive monitor answers "what is actually happening on this network?"
What DNS traffic reveals
DNS is the directory the entire internet runs on. Before a device connects to any service — a website, an app backend, an ad tracker, a malware command-and-control server — it asks DNS to resolve a domain name into an IP address. That query happens before the connection is opened. It is unavoidable.
A DNS traffic watcher reads those queries and reconstructs a picture of what every device on the network is talking to. The domains reveal intent. A query for update.microsoft.com is an operating system checking for patches. A query for an unknown, freshly-registered domain at 3 a.m. is something worth investigating. A stream of queries to known advertising domains tells a person exactly which apps are phoning home and how often.
DNS observation works as a passive technique because DNS queries can be mirrored or observed without intercepting the connection itself. The monitor sees the question. It never has to touch the answer.
Why observation without intervention is valuable
A network that is only filtered is a network that is only understood through the filter's rules. If the firewall blocks something, the user never learns it was attempted. If it allows something, the user never learns it happened. The firewall's rule set becomes the only lens on the network — and rule sets are rarely exhaustive and frequently stale.
Passive monitoring fills that gap. It shows what is actually happening, including the traffic that a firewall would never think to block: a smart TV beaconing to a metrics server forty times an hour, a phone app contacting a third-party analytics domain, a firmware update reaching out to a server in an unexpected region. None of that is malicious in the way a firewall is built to detect. All of it is information a person may want.
Observation also fails safely. A passive monitor that misbehaves, crashes, or is removed does not interrupt the network. An active device that fails in-line can take the whole household offline. For a home network — where there is no on-call network engineer — that reliability matters.
Passive vs active: a comparison
- Position on the network. Active: inline, every packet passes through. Passive: out of band, observes a copy or a protocol layer like DNS.
- Action taken. Active: allows, blocks, filters, redirects. Passive: reads and reports. No packet is modified.
- Failure mode. Active: a failure or misconfiguration can break connectivity. Passive: a failure removes visibility but the network keeps running.
- Question answered. Active: "should this traffic be allowed?". Passive: "what is this network actually doing?"
- Privacy posture. Active: may inspect payload content to decide. Passive DNS: sees domain names only, no payload, no connection content.
- Setup complexity. Active: requires routing changes, rule tuning, ongoing maintenance. Passive: configure DNS observation, no routing changes.
Why Known chose passive
Known is a privacy network monitor built on the Pico 2 W (RP2350). It watches DNS traffic on a local network and surfaces what it sees — and it stops there. No filtering, no blocking, no inline position. That choice was made for three reasons.
First, privacy. A passive DNS monitor sees domain names, not packet contents. It does not decrypt TLS, it does not inspect payloads, it does not read browsing history. The information it holds is the minimum needed to answer "what is this network doing?" — and it holds it in volatile memory only, so it stops existing the moment power is removed.
Second, reliability. Known cannot break the network it watches. A household that unplugs Known still has internet. That is the right failure mode for a device that lives in a home, not a data centre.
Third, no cloud dependency and local management. An active device that blocks traffic is a tempting target for a remote control channel. A passive observer that stores nothing and talks to no cloud service has nothing to offer an attacker. Known is managed locally, runs open source firmware, and makes no outbound connections of its own. There is no account, no telemetry, no subscription. The device is the entire system.
A network firewall appliance and a passive network monitor are not competitors. They solve different problems. A firewall decides what gets through. A passive monitor shows what is already there. For a person who wants to understand their network — what it reaches, how often, and whether any of that is surprising — passive observation is the simpler and safer place to start.