How to Query Self-Hosted Domains for Security Insights

Updated
  • Updated on Dec 31, 2025
  • Published on Aug 15, 2025
  • 3 minute(s) read
Prev Next

Silent Push enables security teams to query self-hosted domains and Start of Authority (SOA) records to detect malicious infrastructure and track DNS changes. These tools help identify domains controlled by threat actors and monitor zone updates that may indicate suspicious activity.

Search for Self-Hosted Domains

Self-hosted domains, where nameservers are in the same domain and hosted on the same IP as the domain’s A record (active within 30 days), are often used for phishing or malware distribution.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Search Self-hosted Domains.

  2. Specify a domain or pattern (or use a regular expression to override).

  3. Optional parameters:            

    • domain_asnum or nssrv_asnum for ASNs of domain/nameserver A records.

    • asname, asname_starts_with, or asname_contains to filter by AS names.

    • asn_match options: Any, All, Limit (with min/max).

    • Include with_metadata.

    • Limit or skip results.

  4. Click Search.

Detect Attacker-Controlled Infrastructure Using Self-Hosted Domains Search

Self-hosted domains are a strong indicator of threat actor control. They are frequently used in phishing kits, fake login pages, and malware distribution because attackers can fully manage DNS without relying on legitimate providers.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Search Self-hosted Domains.

  2. In the main search field, enter a specific domain (e.g., example-malicious.com) or a pattern (e.g., *.bank* to catch banking-related phishing). For broader hunting, use a regular expression such as .*(login|secure|account).*\.com to target common phishing keywords.          

    • Add ASN filters: domain_asnum or nssrv_asnum → enter known bulletproof or suspicious ASNs (e.g., AS62240, AS206216).

    • Use asname_contains:"Russia" or asname_contains:"hosting" to focus on high-risk providers.

    • Set asn_match: All if you want results only where both the domain and nameserver A records match your criteria.

    • Check with_metadata to include Whois, registration dates, and historical IP data.

  3. Set Limit to 100–500 for initial scans. Use Skip for pagination.

  4. Click Search. Review results for domains where the nameserver column lists subdomains of the target pointing to the same IP address.

  5. Sort by most recent activity. Export high-confidence matches to your ticketing system or blocklist. Submit abusive domains for takedown and feed IPs into firewalls/EDR.

Scan for SOA Records

SOA records provide administrative details about a DNS zone, such as primary nameservers and timing parameters. Monitoring changes helps detect malicious updates.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Search SOA Records.

  2. Specify a domain (wildcards supported) or regular expression.

  3. Optional parameters:            

    • ns or mbox (nameserver/mbox component, with “self” option for domain matching).

    • serial, refresh, retry, expire, or TTL values (exact or min/max).

    • Timestamps: first_seen_before/after, last_seen_before/after, as_of.

    • Sort by columns (last_seen, first_seen, query, answer) in asc or desc order.

    • Limit, skip, or restrict results per domain with limit_by_n.

  4. Click Search.

Track Malicious DNS Zone Changes Using SOA Records Search

Sudden changes, such as serial number increases, new primary nameservers, or shortened TTLs, often signal domain hijacking, Subdomain creation, or fast-flux evasion tactics.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Search SOA Records.

  2. Enter a specific domain (e.g., compromised-corp.com) or use wildcards (e.g., *.corp.com). For advanced pattern matching, enable regex (e.g., .*(dev|api|staging)\.corp\.com).          

    • Look for recent zone updates: serial > 2026010100.

    • Flag self-hosted nameservers: ns:"self".

    • Detect fast-flux: TTL < 3600.

    • Filter by timing: first_seen_after:"2026-01-01" or last_seen_after:"2025-12-01".

  3. Sort by serial desc or last_seen desc. Use limit_by_n: 10 to return only the most recent records per domain.

  4. Click Search. Examine the results for unexpected serial jumps, new mbox values, or name server changes.

  5. Compare current SOA against historical baselines. Correlate new subdomains/IPs with threat intel. Alert domain owners or registrars if hijacking indicators are present.

Save Query

  1. Specify query parameters.

  2. Click Save Query.

  3. Provide a Name and Description for context.

  4. Click Save. The query appears in Private Queries.

Related articles