Analyze Domain Relationships to Uncover Cyber Threats

Updated
  • Updated on Dec 31, 2025
  • Published on Aug 15, 2025
  • 3 minute(s) read
Prev Next

Silent Push enables security teams to analyze domain-to-IP and Autonomous System Number (ASN) relationships to identify attacker infrastructure, track malicious patterns like domain generation algorithms (DGAs) or fast-flux techniques, and assess IP diversity. These tools help uncover networks hosting domains, detect suspicious activity, and prioritize threat investigations.

Get ASNs for a Domain (Last 30 Days)

Retrieve a list of ASNs associated with A records for a domain (including subdomains) within the last 30 days.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > ASNs seen for domain.

  2. Specify a domain.

  3. Choose result_format to return an ASN list only or detailed information.

  4. Click Search.

Identify Hosting Networks, Track Threat Actor Behavior, or Detect DGAs and Fast-Flux Techniques

Multiple or rapidly changing ASNs for a single domain family often indicate DGA usage or fast-flux evasion by threat actors.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > ASNs seen for domain.

  2. Input a known malicious domain or a brand you are protecting (e.g., yourbank.com).

  3. Choose Detailed to see ASN counts, first/Last Seen dates, and associated IPs for better context.

  4. Click Search.            

    • A single ASN is likely legitimate or tightly controlled malicious infrastructure.

    • Multiple ASNs (especially bulletproof or privacy-hosting providers) could be potential fast-flux or DGA.

    • Unexpected ASNs for your brand could be possible Typosquatting or phishing hosted elsewhere.

  5. Cross-reference suspicious ASNs with reputation feeds. Block traffic to non-approved ASNs for your domains. Pivot to reverse lookups on the returned IPs.

Get IP Diversity for a Domain

IP diversity measures the number of unique IP addresses (A/AAAA records) associated with a domain. A low score may indicate malicious infrastructure, while a high score could suggest legitimate networks or CDNs.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > IP diversity lookup.

  2. Select query type: A or AAAA.

  3. Specify the record’s name in query.

  4. Use window to filter records with a “last_seen” within a specified number of days.

  5. Select timeline to include details of IPs, ASNs, first_seen, and last_seen.

  6. Choose a scope:            

    • For A records: host (exact match, default), domain (all hosts in domain), subdomain, live (live data, exact match).

    • For AAAA records: live only.

  7. Click Search.

Detect Malicious Networks (Low Diversity) or Legitimate CDNs (High Diversity)

Low IP diversity on non-CDN domains is a strong signal of single-server malicious hosting; high diversity on non-legitimate services suggests fast-flux.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > ASNs seen for domain.

  2. Use A records and domain scope to cover all subdomains of a target (e.g., malicious.com).

  3. Set window: 30 days for recent activity or 7 days for very active fast-flux detection.

  4. Check timeline to see the full list of IPs and their observation periods.

  5. Click Search.            

    • 1–5 unique IPs are typical for malicious C2 or phishing landing pages.

    • 50+ unique IPs are likely CDN (legitimate) or fast-flux (malicious).

    • Cross-check high-diversity non-CDN domains against known fast-flux signatures.

  6. Block low-diversity malicious IPs directly. For high-diversity cases, pivot to ASN analysis or density lookups to confirm intent.

Search for Patterns in IP Diversity

Search for patterns in IP diversity data to identify malicious infrastructure, with optional name server and domain pattern matching.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Search IP Diversity Patterns.

  2. Specify nameserver, domain, or MX server patterns (wildcards or regex).

  3. Set ASN diversity (min/max), IP diversity (min/max or groups).

  4. Add timestamps, ASN filters, networks/netmasks, registrar/WHOIS/SSL details as needed.

  5. Select timeline or with_metadata for extra context.

  6. Set limits or skip results.

  7. Click Search.

Pinpoint Attack Vectors by Identifying Patterns in IP Usage or ASN Associations

This advanced pattern search helps uncover clusters of domains exhibiting identical low/high diversity profiles—common in DGA families, phishing kits, or bulletproof hosting customers.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > ASNs seen for domain.            

    • Set low IP diversity: IP diversity min:1 max:5 to find single-server malicious clusters.

    • Or high diversity: IP diversity min:20 combined with suspicious nameserver patterns.

    • Use domain regex (e.g., .*-(login|secure|update).*\.com) for thematic phishing.

  2. Add Contextual Filters            

    • Restrict to recent activity: last_seen_min: 2025-12-01.

    • Filter ASNs: asname_contains:"hosting" or known bulletproof providers.

    • Include suspicious nameservers (e.g., ns*.dynamic-dns*.net).

  3. Enable timeline and with_metadata to get full IP/ASN histories and WHOIS data.

  4. Click Search. Sort by highest match count or most recent activity.

  5. Cluster results by shared infrastructure. Submit domains/IPs for takedown. Feed patterns into automated detection rules.  

Save Query

  1. Specify query parameters.

  2. Click Save Query.

  3. Provide a Name and Description for context.

  4. Click Save. The query appears in Private Queries.

Related articles