Establish the domain density of a specific record/element

  • Updated on May 16, 2023
  • Published on Apr 11, 2023
  • 1 minute(s) read
Prev Next

Domain density refers to the number of unique domain names associated with an individual element of a network (DNS record, IPv4/IP46 address, ASN etc.)

Threat actors often use a large number of domain names to carry out their attacks. Accordingly, a high domain density can sometimes be used as an indicator of malicious activity. By analyzing domain density, security teams can identify these patterns and take appropriate action.

  1. Navigate to Advanced Query Builder > PADNS Queries > PADNS density lookup

  2. Specify a query type from the list of available elements:

    1. Namserver
    2. MX server
    3. Nameserver hash
    4. MX hash
    5. IPv4 address
    6. IPv6 address
    7. ASN

  3. Enter a query value

  4. Select a scope for exactor near match results by query type

    1. IPv4 query:
      1. IP - exact match (default when qtype=ipv4)
      2. subnet - summary of subnet for ipv4
      3. subnet_ips - density for all ips in subnet
      4. asn - summary of asn for ipv4
      5. asn_subnets - summary for all subnets in asn -
    2. ASN query:
      1. asn - summary of asn (default when qtype=asn)
      2. asn_subnets - summary for all subnets in asn
    3. NSSRV or MXSRV query:
      1. host - exact match (default when qtype=nssrv or qtype=mxsrv)
      2. domain - match all hosts in this domain (domain extracted from {query})
      3. subdomain - match all hosts at this subdomain level (i.e. *.{query})

  5. Click Search

Saving queries

Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.

  1. Specify the query parameters

  2. Click Save Query

  3. Give your query a Name

  4. Specify a Description to add more context

  5. Click Save