PADNS tab

New
  • Published on Oct 27, 2025
  • 6 minute(s) read
Prev Next

A suspicious domain, such as example.com, appears in alerts in phishing emails or malware callbacks. To assess its DNS footprint, including Subdomain resolutions and potential fast-flux activity, fragmented queries can be inefficient.

The Silent Push PADNS tab provides an aggregated view of raw DNS records (A, AAAA, CNAME, MX, NS, SOA, TXT) for a domain and its subdomains directly in Total View. Enabling Domain Wide View expands results to the full hierarchy, displaying subdomains such as blog.example.com or api.example.com.

Available for Domains and IPv4, this tab draws from Silent Push’s underlying PADNS queries (many of which can be run standalone via DNSData in the left-hand navigation). Total View serves as a comprehensive dashboard, integrating visualizations, risk scores, and pivots for complete analysis.

Why is it useful?

DNS records provide essential insights into domain connectivity and security risks, but analyzing them across types often requires multiple queries. The PADNS tab consolidates this data to identify misconfigurations (e.g., outdated MX records for email vulnerabilities), infrastructure indicators (e.g., NS records linked to high-risk hosts), and subdomain exposures (e.g., dangling A records vulnerable to takeover).

For SOC teams and threat hunters, it offers streamlined access: Community users receive raw data at no cost, while Enterprise users integrate IOFA feeds for threat enrichment. Key record types—A, AAAA, CNAME, MX, NS, SOA, and TXT—reveal configuration details, enabling assessments of resolution integrity, IP diversity for flux detection, and pivots to standalone DNS Data for advanced filtering.

How does it work?

The PADNS tab uses Silent Push's PADNS to aggregate passive DNS data from our global collection, creating datasets optimized for threat intelligence. It reflects queries such as IP hosting a domain or Domain Name Server Changes, presented in Total View with risk scoring and navigation options.

Counts (e.g., 456 A, 42 AAAA) appear at the top, followed by a filterable table showing queries (e.g., example.com), answers (e.g., ns1.scann.org), timestamps, and ASNs. The Domain Wide View includes subdomains to highlight issues such as TXT SPF inconsistencies, indicating potential spoofing risks. Forward lookups connect to IP diversity for historical analysis; reverse data identifies shared infrastructure. All data is timestamped (e.g., First Seen 2025-09-01) for precision.

The section displays counts and details for these records across the domain and subdomains. A records, for example, derive from forward lookups such as IP hosting a domain, listing associated IPs with timestamps. Results may include three A records, one MX record, and two TXT records, highlighting server connections, email setups, and security policies. This aids in detecting anomalies, such as an unfamiliar NS record suggesting misconfiguration or compromise.

Generate a set of results

  • Enter a domain (e.g., example.com) in the search bar to open Total View, and scroll to the PADNS tab. Record counts are displayed at the top, with a results table below.

  • Activate Domain Wide View to include subdomains. Apply filters by record type (e.g., NS only) or timeframe as needed.

Example

  • Query example.com in PADNS: Aggregated records show 456 A records resolving to IPs like 203.0.113.5 (timestamped 2025-09-01), two NS entries for ns1.scann.org (ASN 12345), and a TXT with SPF: v=spf1 include:_spf.example.com -all.

  • Domain Wide View adds subdomains: www.example.com CNAME to blog.example.com (AAAA: 2606:4700::1111), MX for mail.example.com (priority 10), and SOA serial 2025090201 indicating a recent update. An NS shift to AS207713, with first/Last Seen dates (2025-08-31 to 2025-09-02), may indicate flux activity.

Tab in action

Overview of domain example.com with various DNS records and data displayed.

A Record (Address Record)

  • Definition: Maps a domain or subdomain (e.g., www.example.com) to an IPv4 address (e.g., 192.168.1.1), which is the server’s numerical location.

  • Purpose: Provides the primary IP address for domain resolution, ensuring traffic reaches the correct server.

  • Example: An A record for blog.example.com pointing to 203.0.113.5 directs traffic to that server.

AAAA Record (Quad-A Record)

  • Definition: Maps a domain or subdomain to an IPv6 address (e.g., 2001:db8::1), supporting modern networks with larger address spaces.

  • Purpose: Enables IPv6 connectivity for domains, accommodating the growing number of internet devices.

  • Example: An AAAA record for shop.example.com pointing to 2606:4700::1111 routes traffic to an IPv6 server.

CNAME Record (Canonical Name Record)

  • Definition: Aliases one domain or subdomain (e.g., fun.example.com) to another (e.g., www.example.com), sharing the same target configuration.

  • Purpose: Simplifies management by linking multiple names to a single address, reducing redundant IP records.

  • Example: A CNAME for test.example.com pointing to www.example.com directs traffic to the same server.

MX Record (Mail Exchange Record)

  • Definition: Specifies the mail servers responsible for receiving email for the domain (e.g., mail.example.com).

  • Purpose: Directs email traffic to the correct server, essential for email functionality and security checks.

  • Example: An MX record for example.com, pointing to mail.example.com with priority 10, handles incoming emails.

NS Record (Name Server Record)

  • Definition: Identifies the name servers that manage the domain’s DNS records (e.g., ns1.example.com).

  • Purpose: Indicates which servers hold the authoritative DNS data, critical for domain resolution and stability.

  • Example: An NS record for example.com listing ns1.example.com shows the managing server.

SOA Record (Start of Authority Record)

  • Definition: Provides administrative details about the domain, including the primary name server, contact email, and DNS update parameters (e.g., serial number, refresh interval).

  • Purpose: Acts as the master record, ensuring consistency across DNS servers and tracking updates.

  • Example: An SOA for example.com might list ns1.example.com as the primary server with a serial number of 2025090201 (updated 2025-09-02).

TXT Record (Text Record)

  • Definition: Stores text information associated with the domain, often used for verification or security settings (e.g., SPF or DKIM codes).

  • Purpose: Supports domain Authentication, spam prevention, or custom data, enhancing security and trust.

  • Example: A TXT record for example.com might contain v=spf1 include:_spf.example.com -all to define email sending policies.

Work with PADNS results

Results remain within the console for seamless navigation. Each row supports one-click pivots: To Infrastructure Variance for IP diversity (e.g., tracking 10 historical ASNs for flux), or Live Scan for certificates on an MX server.

For anomalies, such as an unexpected CNAME, pivot to DNS Data > Domains Hosted on Server for shared infrastructure details. A weak TXT SPF? Check Threat Feeds for IOFA associations. Standalone DNS Data (left navigation) offers advanced filtering, such as IP hosting a domain by subdomain or timeframe, before enriching in Total View.

Access and Relate PADNS Data: The PADNS tab offers a pre-aggregated snapshot, while DNS Data queries in the left navigation enable granular control. These queries (e.g., IP hosting a domain or DNS changes) provide the core data for PADNS and other tabs.

This supports a unified workflow: Begin with targeted DNS Data scans, then pivot to Total View for IOFA enrichment and visualizations.

  • Forward lookups in PADNS (e.g., A Records): Align with DNS Data > IP hosting a domain; set subdomains or time frames, then enrich in Total View.

  • Reverse and diversity insights: IP Diversity from PADNS A/AAAA records (e.g., historical changes for flux detection) appears in Infrastructure Variance, correlating DNS with trends.

  • Nameserver and server queries: NS/SOA records link to DNS Data > Domains Hosted on Server or Domain Name Server Changes for shared infrastructure analysis.

Start with DNS Data for precision, pivot to Total View for context, e.g., flag an anomalous IP in a query, then view its PADNS threat ties. Use Domain Wide View in PADNS for subdomain expansion in Infrastructure mapping.

Export as CSV, set monitors (e.g., for SOA serial changes), or link to Dangling DNS for takeover identification. This enables efficient reconnaissance: Broad PADNS overview, targeted pivots, and rapid malicious assessment, such as timestamps indicating dormant infrastructure.