--- title: "Analyze DNS Records to Uncover Cyber Threats" slug: "analyze-dns-records-to-uncover-cyber-threats" updated: 2025-12-31T17:39:40Z published: 2025-12-31T17:39:40Z canonical: "help.silentpush.com/analyze-dns-records-to-uncover-cyber-threats" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Analyze DNS Records to Uncover Cyber Threats Passive DNS (PADNS) queries enable security teams to analyze DNS records and Domain Density to uncover attacker infrastructure, establish links between records, and identify malicious patterns. Forward lookups and domain density analysis provide granular insights into DNS record types and their associations. ## Search Passive DNS Data (Forward Lookup) Search Silent Push’s passive DNS data to link records to global attacker infrastructure using various record types. ### How to Run the Query 1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > Forward lookup**. 2. Select a record type (`qtype`): A, AAAA, CNAME, MX, NS, PTR4, PTR6, ANY, SOA, TXT. 3. Specify a record name in `qname`. 4. **Optional parameters:** - For PTR4 or PTR6, specify a netmask. - For A or AAAA, include/exclude subdomains. - Include/exclude metadata. - Use a regular expression (re2) to override `qname`. - Set timestamps: `first_seen_before/after`, `last_seen_before/after`, `as_of`. - Sort by columns (`last_seen`, `first_seen`, `query`, `answer`) in asc or desc order. - Limit or skip results. 5. Click **Search**. ### Map Relationships Between Domains and IPs to Track Phishing or Malware Infrastructure Forward lookups reveal historical and current resolutions for a domain or pattern, helping you pivot from a known malicious domain to its IPs, CNAME chains, or related records. 1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > Forward lookup**. 2. Start with `A` or `AAAA` for IP addresses, `CNAME` for alias records, or `TXT` for SPF/DMARC records, which are often abused in phishing. 3. Enter a specific domain (e.g., `malicious-phish.com`) or use regex for broader hunting (e.g., `.*login.*\.com` to catch login-themed phishing domains). - Include subdomains if investigating a brand (e.g., all subdomains of `yourbrand.com`). - Use `first_seen_after:"2025-01-01"` to focus on newly observed infrastructure. - Check **with_metadata** to pull Whois and geolocation data. - Sort by `last_seen desc` to prioritize currently active resolutions. 4. Click **Search**. Look for sudden IP changes (possible fast-flux), shared IPs across multiple suspicious domains, or CNAMEs pointing to known bulletproof hosting. 5. Export IPs to block via Firewall rules. Feed related domains into threat intel platforms. Chain results into reverse lookups for deeper Infrastructure mapping. ## Search Passive DNS Data (Reverse Lookup) Reverse lookups map IPs or other DNS records back to associated domains or records, using data from trusted third parties to identify attacker infrastructure. 1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > reverse lookup**. 2. Select a record type (`qtype`): A, AAAA, CNAME, MX, NS, PTR4, PTR6, ANY, SOA, TXT, MXHASH, NSHASH, SOAHASH, TXTHASH. 3. Specify a record name in `qname` (e.g., an IP address for A/AAAA or a hash for MXHASH/NSHASH). 4. **Optional parameters:** - For PTR4 or PTR6, specify a netmask. - For A or AAAA, include/exclude subdomains. - Include/exclude metadata. - Use a regular expression (re2) to override `qname`. - Set timestamps: `first_seen_before/after`, `last_seen_before/after`, `as_of`. - Sort by columns in asc or desc order (use semi-colons for nested sorting). - Limit or skip results. 5. Click **Search**. ### Identify Domains Associated with a Specific IP or Hash to Uncover Attacker-Controlled Infrastructure Reverse lookups are essential for pivoting from a single indicator (e.g., a malicious IP address from a sandbox report) to all domains historically and currently associated with it. 1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > reverse lookup**. 2. Use `A` for IPv4 reverse, `AAAA` for IPv6, or hash types (`MXHASH`, `NSHASH`) to find domains sharing the same mail or nameserver setup. 3. Input a known malicious IP (e.g., `192.168.1.100`) or a hash from a previous investigation. - Use `last_seen_after:"2025-07-01"` to focus on active infrastructure. - Include **with_metadata** for registrar and ASN details. - Sort by `first_seen asc` to see the oldest domains (often the attacker’s primary ones). - Set a reasonable **Limit** (e.g., 500) to handle high-density IPs. 4. Click **Search**. High-volume results often indicate bulletproof hosting or compromised servers. 5. Cluster domains by theme (e.g., phishing pages, C2). Submit for takedown. Block the IP Range if the density is extreme. ## Establish Domain Density Domain density measures the number of unique domains associated with a network element (e.g., a DNS record, an IP, an ASN). High density may indicate malicious activity. 1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > density lookup**. 2. Select a query type: Nameserver, MX server, Nameserver hash, MX hash, IPv4 address, IPv6 address, ASN. 3. Enter a query value. 4. Choose a scope: - For IPv4: IP (exact match), subnet, subnet_ips, asn, asn_subnets. - For ASN: asn, asn_subnets. - For NSSRV or MXSRV: host (exact match), domain, Subdomain. 5. Click **Search**. ### Identify Patterns of Malicious Activity by Analyzing Domain Concentration High domain density on a single IP, subnet, or ASN is a classic indicator of bulletproof hosting, phishing kits, or malware distribution networks. 1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > density lookup**. 2. Start with `IPv4 address` and an IP from a reverse lookup, or `ASN` for broader network analysis. - Use `subnet` or `asn_subnets` to expand beyond a single IP. - For nameserver analysis, use `Nameserver` + `domain` scope to see all domains under a specific NS. 3. Click **Search**. Results show unique domain counts and lists. - >500 domains on a single IP are very likely malicious. - An ASN with 10,000 domains is a potential bulletproof provider. - Review the domain list for thematic clustering (e.g., all banking phishing). 4. Flag the IP/subnet/ASN in your threat intel feeds. Share with hosting providers or CERTs for takedown coordination. ## Save Query 1. Specify query parameters. 2. Click **Save Query**. 3. Provide a **Name** and **Description** for context. 4. Click **Save**. The query appears in [**Private Queries.**](/v1/docs/private-queries) A dataset of historical DNS query and response records used to map domain-to-IP relationships, track infrastructure changes, and identify malicious activity. A metric measuring the number of unique domains associated with a network element (e.g., IP, ASN, nameserver, or MX server), used to detect concentrated malicious activity or infrastructure patterns. Publicly available data collected during domain registration or DNS updates, used to analyze domain ownership and history. A security device or software that monitors and controls network traffic based on predefined rules, protecting systems from unauthorized access or malicious activities. A technique that visualizes and analyzes relationships between malicious IPs, domains, and other infrastructure to uncover threat actor networks. A defined set of IP addresses used to correlate malicious activity or infrastructure within a specific network range. The specific subdomain extracted from a hostname, used to analyze hierarchical domain structures for potential threats.