--- title: "How to Track DNS Changes with Hash Values" slug: "how-to-track-dns-changes-with-hash-values" description: "Silent Push allows organizations to quickly obtain information on server names that belong to an nshash or mxhash." tags: ["Passive DNS"] updated: 2025-12-31T17:44:31Z published: 2025-12-31T17:44:31Z canonical: "help.silentpush.com/how-to-track-dns-changes-with-hash-values" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # How to Track DNS Changes with Hash Values nshash and mxhash are hash values used to identify and track changes to DNS information. **nshash** is based on the authoritative nameservers associated with a domain. By computing the nshash for a domain, it's possible to identify changes to the authoritative nameservers, such as when a domain is transferred to a new registrar or hosting provider. **mxhash**, on the other hand, is based on the MX servers associated with a domain. By computing the MX hash value for a domain, organizations can identify changes to the mail exchange servers, such as when a domain starts sending or receiving email from a new email provider. Both values can be used to track changes to DNS infrastructure that may indicate malicious activity. For example, suppose a domain suddenly changes its authoritative nameservers or starts sending email from a new mail exchange server. In that case, it may indicate phishing or other malicious activity. Silent Push allows organizations to quickly obtain information on server names that belong to an nshash or mxhash. ## Translate Hash to Server Names 1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > Translate Hash To Server Names**. 2. Specify a hash type: `NSHASH` or `MXHASH`. 3. Enter a hash value in `query`. 4. Click **Search**. ### Identify Changes in Authoritative Nameservers or MX Servers to Detect Malicious Activity Sudden changes in nameservers (NSHASH) or mail servers (MXHASH) are strong indicators of domain hijacking, registrar transfers by attackers, or the setup of phishing/business email compromise (BEC) infrastructure. 1. From the left navigation menu, select **Advanced Query Builder > PADNS Queries > Translate Hash To Server Names**. 2. Choose `NSHASH` to investigate nameserver changes or `MXHASH` for mail server changes. 3. Get the hash from: Example hash: `a1b2c3d4e5f67890...` - A previous PADNS reverse lookup using `NSHASH` or `MXHASH` record types. - Threat intelligence reports or alerts that include hash values. - Monitoring tools that track hash changes for your domains. 4. Enter the hash in the `query` field and click **Search**. - For **NSHASH**: Look for unexpected or known malicious nameservers (e.g., dynamic DNS providers, bulletproof hosting NS). - For **MXHASH**: Check for sudden shifts to free email providers (e.g., temp-mail services) or suspicious hosting — common in BEC setups. - Compare against historical baselines for your protected domains. 5. Investigate and Respond. - Correlate returned servers with other PADNS queries (e.g., reverse lookup on the servers). - Alert domain owners of unauthorized changes. - Block associated infrastructure or flag emails originating from new MX servers. - Submit findings to registrars for potential hijacking recovery. ## Save Query 1. Specify query parameters. 2. Click **Save Query**. 3. Provide a **Name** and **Description** for context. 4. Click **Save**. The query appears in [**Private Queries**](/v1/docs/private-queries).