Analyze DNS Records to Uncover Cyber Threats

Search Passive DNS Data (Forward Lookup)

Search Silent Push’s passive DNS data to link records to global attacker infrastructure using various record types.

How to Run the Query

1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Forward lookup.

2. Select a record type (qtype): A, AAAA, CNAME, MX, NS, PTR4, PTR6, ANY, SOA, TXT.

3. Specify a record name in qname.

4. Optional parameters:            

   • For PTR4 or PTR6, specify a netmask.

   • For A or AAAA, include/exclude subdomains.

   • Include/exclude metadata.

   • Use a regular expression (re2) to override qname.

   • Set timestamps: first_seen_before/after, last_seen_before/after, as_of.

   • Sort by columns (last_seen, first_seen, query, answer) in asc or desc order.

   • Limit or skip results.

5. Click Search.

Map Relationships Between Domains and IPs to Track Phishing or Malware Infrastructure

Forward lookups reveal historical and current resolutions for a domain or pattern, helping you pivot from a known malicious domain to its IPs, CNAME chains, or related records.

1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Forward lookup.

2. Start with A or AAAA for IP addresses, CNAME for alias records, or TXT for SPF/DMARC records, which are often abused in phishing.

3. Enter a specific domain (e.g., malicious-phish.com) or use regex for broader hunting (e.g., .*login.*\.com to catch login-themed phishing domains).

   • Include subdomains if investigating a brand (e.g., all subdomains of yourbrand.com).

   • Use first_seen_after:"2025-01-01" to focus on newly observed infrastructure.

   • Check with_metadata to pull Whois and geolocation data.

   • Sort by last_seen desc to prioritize currently active resolutions.

4. Click Search. Look for sudden IP changes (possible fast-flux), shared IPs across multiple suspicious domains, or CNAMEs pointing to known bulletproof hosting.

5. Export IPs to block via Firewall rules. Feed related domains into threat intel platforms. Chain results into reverse lookups for deeper Infrastructure mapping.  

Search Passive DNS Data (Reverse Lookup)

Reverse lookups map IPs or other DNS records back to associated domains or records, using data from trusted third parties to identify attacker infrastructure.

1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > reverse lookup.

2. Select a record type (qtype): A, AAAA, CNAME, MX, NS, PTR4, PTR6, ANY, SOA, TXT, MXHASH, NSHASH, SOAHASH, TXTHASH.

3. Specify a record name in qname (e.g., an IP address for A/AAAA or a hash for MXHASH/NSHASH).

4. Optional parameters:            

   • For PTR4 or PTR6, specify a netmask.

   • For A or AAAA, include/exclude subdomains.

   • Include/exclude metadata.

   • Use a regular expression (re2) to override qname.

   • Set timestamps: first_seen_before/after, last_seen_before/after, as_of.

   • Sort by columns in asc or desc order (use semi-colons for nested sorting).

   • Limit or skip results.

5. Click Search.

Identify Domains Associated with a Specific IP or Hash to Uncover Attacker-Controlled Infrastructure

Reverse lookups are essential for pivoting from a single indicator (e.g., a malicious IP address from a sandbox report) to all domains historically and currently associated with it.

1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > reverse lookup.

2. Use A for IPv4 reverse, AAAA for IPv6, or hash types (MXHASH, NSHASH) to find domains sharing the same mail or nameserver setup.

3. Input a known malicious IP (e.g., 192.168.1.100) or a hash from a previous investigation.            

   • Use last_seen_after:"2025-07-01" to focus on active infrastructure.

   • Include with_metadata for registrar and ASN details.

   • Sort by first_seen asc to see the oldest domains (often the attacker’s primary ones).

   • Set a reasonable Limit (e.g., 500) to handle high-density IPs.

4. Click Search. High-volume results often indicate bulletproof hosting or compromised servers.

5. Cluster domains by theme (e.g., phishing pages, C2). Submit for takedown. Block the IP Range if the density is extreme.

Domain density measures the number of unique domains associated with a network element (e.g., a DNS record, an IP, an ASN). High density may indicate malicious activity.

1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > density lookup.

2. Select a query type: Nameserver, MX server, Nameserver hash, MX hash, IPv4 address, IPv6 address, ASN.

3. Enter a query value.

4. Choose a scope:            

   • For IPv4: IP (exact match), subnet, subnet_ips, asn, asn_subnets.

   • For ASN: asn, asn_subnets.

   • For NSSRV or MXSRV: host (exact match), domain, Subdomain.

5. Click Search.

Identify Patterns of Malicious Activity by Analyzing Domain Concentration

High domain density on a single IP, subnet, or ASN is a classic indicator of bulletproof hosting, phishing kits, or malware distribution networks.

1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > density lookup.

2. Start with IPv4 address and an IP from a reverse lookup, or ASN for broader network analysis.

   • Use subnet or asn_subnets to expand beyond a single IP.

   • For nameserver analysis, use Nameserver + domain scope to see all domains under a specific NS.

3. Click Search. Results show unique domain counts and lists.

   • >500 domains on a single IP are very likely malicious.

   • An ASN with 10,000 domains is a potential bulletproof provider.

   • Review the domain list for thematic clustering (e.g., all banking phishing).

4. Flag the IP/subnet/ASN in your threat intel feeds. Share with hosting providers or CERTs for takedown coordination.

1. Specify query parameters.

2. Click Save Query.

3. Provide a Name and Description for context.

4. Click Save. The query appears in Private Queries.