--- title: "How to use PADNS Data SOA Records" slug: "how-to-use-padns-data-soa-records" updated: 2025-12-10T17:16:07Z published: 2025-12-10T17:16:07Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # How to Use PADNS Data SOA Records Every domain you look up in Silent Push instantly reveals its complete historical DNS footprint — every subdomain, name server, MX record, and SOA record ever observed, even the ones that no longer resolve. And every blue value is a one-click pivot across the entire global PADNS database. [PADNS.mov](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/PADNS.mov) ### Open Any Domain in Total View Search any domain or IP. Click the result, and you’re now in Total View. Scroll down to the **PADNS** section. The moment you open it, click **Domain Wide View**. You instantly get: - Every subdomain ever seen for this domain (thousands in some cases) - All historical name servers - All MX records (mail servers) - All SOA records (the real gold — often reveal the true operator) ### Explore Every Record Type Switch between the tabs at the top: - **Subdomains** – hidden admin panels, staging servers, C2 nodes - **Name Servers** – bulletproof hosting clues - **MX Records** – phishing kit delivery servers - **SOA Records** – usually the single strongest actor identifier ### One-Click Pivot on Anything Blue No copying. No pasting. Just click. - Click a blue **SOA record** and choose “SOA Reverse Lookup” to instantly see every other domain ever managed by the same operator - Click a blue **name server** to see every domain that has ever used it - Click a blue **subdomain** to find all siblings across the actor’s empire - Click a blue **MX record** to expose the full phishing mail infrastructure ### Real-World Example Workflows **Who really controls this phishing domain?** - Open **Total View > PADNS > Domain Wide View > SOA tab**, then click the blue SOA record to see 300+ other domains run by the same actor instantly. **Is this hosted on Bulletproof or abused name servers?** - Go to the N**ame Servers tab > click any blue NS**to reveal thousands of malicious domains using the same provider. **Did the actor spin up temporary subdomains for a campaign?** - Sort Subdomains by first-seen date to spot clusters of short-lived attack infrastructure. ### Tips - Always start with the **SOA tab** — it’s usually the most reliable actor fingerprint. - Combine SOA Reverse Lookup with WHOIS pivots for unbreakable attribution. - Use “First Seen” sorting to find the newest campaign subdomains before defenders notice them. - Export the full Domain Wide View list — perfect for block-list creation or takedown packages.