---
title: "How to Query Self-Hosted Domains for Security Insights"
slug: "how-to-query-self-hosted-domains-for-security-insights"
tags: ["DNS Changes", "Malicious Infrastructure", "Self-Hosted Domains"]
updated: 2025-12-31T17:31:41Z
published: 2025-12-31T17:31:41Z
canonical: "help.silentpush.com/how-to-query-self-hosted-domains-for-security-insights"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.silentpush.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to Query Self-Hosted Domains for Security Insights

Silent Push enables security teams to query self-hosted domains and Start of Authority (SOA) records to detect malicious infrastructure and track DNS changes. These tools help identify domains controlled by threat actors and monitor zone updates that may indicate suspicious activity.

## Search for Self-Hosted Domains

Self-hosted domains, where nameservers are in the same domain and hosted on the same IP as the domain’s A record (active within 30 days), are often used for phishing or malware distribution.

1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > Search Self-hosted Domains**.
2. Specify a domain or pattern (or use a regular expression to override).
3. **Optional parameters:**
  - `domain_asnum` or `nssrv_asnum` for ASNs of domain/nameserver A records.
  - `asname`, `asname_starts_with`, or `asname_contains` to filter by AS names.
  - `asn_match` options: Any, All, Limit (with min/max).
  - Include `with_metadata`.
  - Limit or skip results.
4. Click **Search**.

### Detect Attacker-Controlled Infrastructure Using Self-Hosted Domains Search

Self-hosted domains are a strong indicator of threat actor control. They are frequently used in phishing kits, fake login pages, and malware distribution because attackers can fully manage DNS without relying on legitimate providers.

1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > Search Self-hosted Domains**.
2. In the main search field, enter a specific domain (e.g., `example-malicious.com`) or a pattern (e.g., `*.bank*` to catch banking-related phishing). For broader hunting, use a regular expression such as `.*(login|secure|account).*\.com` to target common phishing keywords.
  - Add ASN filters: `domain_asnum` or `nssrv_asnum` → enter known bulletproof or suspicious ASNs (e.g., AS62240, AS206216).
  - Use `asname_contains:"Russia"` or `asname_contains:"hosting"` to focus on high-risk providers.
  - Set `asn_match: All` if you want results only where both the domain and nameserver A records match your criteria.
  - Check **with_metadata** to include Whois, registration dates, and historical IP data.
3. Set **Limit** to 100–500 for initial scans. Use **Skip** for pagination.
4. Click **Search**. Review results for domains where the nameserver column lists subdomains of the target pointing to the same IP**address**.
5. Sort by most recent activity. Export high-confidence matches to your ticketing system or blocklist. Submit abusive domains for takedown and feed IPs into firewalls/EDR.

## Scan for SOA Records

SOA records provide administrative details about a DNS zone, such as primary nameservers and timing parameters. Monitoring changes helps detect malicious updates.

1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > Search SOA Records**.
2. Specify a domain (wildcards supported) or regular expression.
3. **Optional parameters:**
  - `ns` or `mbox` (nameserver/mbox component, with “self” option for domain matching).
  - `serial`, `refresh`, `retry`, `expire`, or `TTL` values (exact or min/max).
  - Timestamps: `first_seen_before/after`, `last_seen_before/after`, `as_of`.
  - Sort by columns (`last_seen`, `first_seen`, `query`, `answer`) in asc or desc order.
  - Limit, skip, or restrict results per domain with `limit_by_n`.
4. Click **Search**.

### Track Malicious DNS Zone Changes Using SOA Records Search

Sudden changes, such as serial number increases, new primary nameservers, or shortened TTLs, often signal domain hijacking, Subdomain creation, or fast-flux evasion tactics.

1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > Search SOA Records**.
2. Enter a specific domain (e.g., `compromised-corp.com`) or use wildcards (e.g., `*.corp.com`). For advanced pattern matching, enable regex (e.g., `.*(dev|api|staging)\.corp\.com`).
  - Look for recent zone updates: `serial &gt; 2026010100`.
  - Flag self-hosted nameservers: `ns:"self"`.
  - Detect fast-flux: `TTL &lt; 3600`.
  - Filter by timing: `first_seen_after:"2026-01-01"` or `last_seen_after:"2025-12-01"`.
3. Sort by `serial desc` or `last_seen desc`. Use `limit_by_n: 10` to return only the most recent records per domain.
4. Click **Search**. Examine the results for unexpected serial jumps, new mbox values, or name server changes.
5. Compare current SOA against historical baselines. Correlate new subdomains/IPs with threat intel. Alert domain owners or registrars if hijacking indicators are present.

## Save Query

1. Specify query parameters.
2. Click **Save Query**.
3. Provide a **Name** and **Description** for context.
4. Click **Save**. The query appears in [**Private Queries**](/v1/docs/private-queries).

Autonomous System Number, a unique numeric identifier assigned to an Autonomous System (AS) for managing IP address routing within and between networks on the internet

Publicly available data collected during domain registration or DNS updates, used to analyze domain ownership and history.

The specific subdomain extracted from a hostname, used to analyze hierarchical domain structures for potential threats.