How to Track DNS Changes with Hash Values

Updated
  • Updated on Dec 31, 2025
  • Published on Apr 12, 2023
  • 2 minute(s) read
Prev Next

nshash and mxhash are hash values used to identify and track changes to DNS information.

nshash is based on the authoritative nameservers associated with a domain. By computing the nshash for a domain, it's possible to identify changes to the authoritative nameservers, such as when a domain is transferred to a new registrar or hosting provider.

mxhash, on the other hand, is based on the MX servers associated with a domain. By computing the MX hash value for a domain, organizations can identify changes to the mail exchange servers, such as when a domain starts sending or receiving email from a new email provider.

Both values can be used to track changes to DNS infrastructure that may indicate malicious activity. For example, suppose a domain suddenly changes its authoritative nameservers or starts sending email from a new mail exchange server. In that case, it may indicate phishing or other malicious activity.

Silent Push allows organizations to quickly obtain information on server names that belong to an nshash or mxhash.

Translate Hash to Server Names

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Translate Hash To Server Names.

  2. Specify a hash type: NSHASH or MXHASH.

  3. Enter a hash value in query.

  4. Click Search.

Identify Changes in Authoritative Nameservers or MX Servers to Detect Malicious Activity

Sudden changes in nameservers (NSHASH) or mail servers (MXHASH) are strong indicators of domain hijacking, registrar transfers by attackers, or the setup of phishing/business email compromise (BEC) infrastructure.

  1. From the left navigation menu, select Advanced Query Builder > PADNS Queries > Translate Hash To Server Names.

  2. Choose NSHASH to investigate nameserver changes or MXHASH for mail server changes.

  3. Get the hash from:            

    • A previous PADNS reverse lookup using NSHASH or MXHASH record types.

    • Threat intelligence reports or alerts that include hash values.

    • Monitoring tools that track hash changes for your domains.

                Example hash: a1b2c3d4e5f67890...        

  4. Enter the hash in the query field and click Search.

    • For NSHASH: Look for unexpected or known malicious nameservers (e.g., dynamic DNS providers, bulletproof hosting NS).

    • For MXHASH: Check for sudden shifts to free email providers (e.g., temp-mail services) or suspicious hosting — common in BEC setups.

    • Compare against historical baselines for your protected domains.

  5. Investigate and Respond.              

    • Correlate returned servers with other PADNS queries (e.g., reverse lookup on the servers).

    • Alert domain owners of unauthorized changes.

    • Block associated infrastructure or flag emails originating from new MX servers.

    • Submit findings to registrars for potential hijacking recovery.

Save Query

  1. Specify query parameters.

  2. Click Save Query.

  3. Provide a Name and Description for context.

  4. Click Save. The query appears in Private Queries.

Related articles