Live Unsanctioned Assets PADNS lookup

GET /explore/padns/lookup/uld/{qtype}/{qname}/{qanswer}

Similar A records in similar domains in/not in networks specified by qanswer, netmask, and network parameters, where the similar domain is on/not on name servers specified by one or more nsname parameters.

The default is to look at new records with a first_seen timestamp within the last 30 days, but the exact time period can be defined explicitly.

This can be used to find spoofing domains hosted on unsanctioned infrastructure.

Query Parameters:

qtype (string) (required) –
- the following qypes are supported:
  - a
  - aaaa
qname (string) (required) –
- specify a name to lookup
  - name - wildcards (*) are required in name string
  - _ - use underscore as placeholder if regex is given
regex = (pattern) (optional) –
- re2 regular expression
  - pattern must be a valid re2 regular expression
  - regex overrides any qname given
qanswer (string) (required) –
- IP address to look for records - use in combination with netmask parameter to specify subnet
  - IPv4 address
  - IPv6 address
  - _ - use underscore as placeholder if no IP match is required
nsname = (string) (optional) –
- nsname specifies name or pattern of name server where a domain is/is not hosted
- up to 5 nsname parameters may be given - wildcards are supported
match = (string) (optional) –
- finds domains not on (neq) or on (eq) name servers given as nsname parameters
  - eq - domains on name servers
  - neq (default) - domains not on name servers
netmask = (int) (optional) –
- net mask may be given for qtypes a or aaaa
- used in combination with qanswer to define subnet
- use to find records in the same subnet
  - defaults: IPv4 = 32, IPv6 = 128
net = (string) (optional) –
- find records where ip not in (default) or in subnet defined by netmask and additional network parameters
  - in - find records in subnet
  - notin (default) - find records not in subnet
network = (string) (optional) –
- additional network and net mask
- give option as 1.1.1.1/24
- up to 5 additional networks may be given
asnum = (int) (optional) –
- AS number to search, may be repeated multiple time for additional AS numbers
- parameter may be used with qtype=a or qtype=ptr4
- use to find records in the same AS number
asn = (string) (optional) –
- find ptr4 or a records where ipv4 in or not in ASN defined by asnum
  - in - find records in ASN
  - notin (default) - find records not in ASN
asname = (string) (optional) –
- search all AS numbers where the AS Name begins with
asname_starts_with = (string) (optional) –
- search all AS numbers where the AS Name begins with
asname_contains = (string) (optional) –
- search all AS numbers where the AS Name contains
reduce = (string) (optional) –
- aggregate timestamps for qname only (host) or for each qname=>qanswer observation (full)
  - full (default) - show timestamps for qname=>qanswer observations
  - host - show timestamps for distinct qname only
first_seen_after = (optional) –
- first_seen timestamp must be on or after this time
  - default=-2592000 - look back 30 days
  - date: yyyy-mm-dd (2021-07-09) - fixed date
  - epoch: number (1625834953) - fixed time in epoch format
  - sec: negative number (-172800) - relative time seconds ago
  - time period: negative number with time period (-36h / -5d / -3w / -6m) - relative time ago
    - h : hours
    - d : days
    - w : weeks
    - m : months
first_seen_before = (optional) –
- first_seen timestamp must be on or before this time
- date: yyyy-mm-dd (2021-07-09) - fixed date
  - epoch: number (1625834953) - fixed time in epoch format
  - sec: negative number (-172800) - relative time seconds ago
  - time period: negative number with time period (-36h / -5d / -3w / -6m) - relative time ago
    - h : hours
    - d : days
    - w : weeks
    - m : months
last_seen_after = (optional) –
- last_seen timestamp must be on or after this time
- date: yyyy-mm-dd (2021-07-09) - fixed date
  - epoch: number (1625834953) - fixed time in epoch format
  - sec: negative number (-172800) - relative time seconds ago
  - time period: negative number with time period (-36h / -5d / -3w / -6m) - relative time ago
    - h : hours
    - d : days
    - w : weeks
    - m : months
last_seen_before = (optional) –
- last_seen timestamp must be on or before this time
  - date: yyyy-mm-dd (2021-07-09) - fixed date
  - epoch: number (1625834953) - fixed time in epoch format
  - sec: negative number (-172800) - relative time seconds ago
  - time period: negative number with time period (-36h / -5d / -3w / -6m) - relative time ago
    - h : hours
    - d : days
    - w : weeks
    - m : months
as_of = (optional) –
- only return records where the as_of timestamp equivalent is between the first_seen and the last_seen timestamp
  - date: yyyy-mm-dd (2021-07-09) - fixed date
  - epoch: number (1625834953) - fixed time in epoch format
  - sec: negative number (-172800) - relative time seconds ago
  - time period: negative number with time period (-36h / -5d / -3w / -6m) - relative time ago
    - h : hours
    - d : days
    - w : weeks
    - m : months
sort = (optional) –
- order results in specified order - parameter may be repeated with different column names to produce a nested sorting effect
  - sort:
  - last_seen/last/time_last - synonyms for last_seen column
  - first_seen/first/time_first - synonyms for first_seen column
  - query/rrname - synonyms for query column
  - answer/rdata - synonyms for answer_seen column
  - order:
    - asc/+/up - synonyms for ascending order
    - desc/-/down - synonyms for descending order
output_format = (optional) –
- padns (default) - Silent Push padns output format
- cof - common output format
limit = (int) (optional) –
- number of results to return
  - default = 100
skip = (int) (optional) –
- number of results to skip
prefer = (string) (optional) –
- result (default) - return results if available before max_wait timeout, otherwise return job_id
- job_id - return job_id immediately
max_wait = (int) (optional) –
- number of seconds to wait for results before returning job_id
  - default = 25
  - value in the range from 0 to 25
with_metadata =<0|1> (int) (optional) –
- include metadata object in response : returned results, total results, job_id
  - 0 (default) = do not include
  - 1 = include metadata

Request headers:

X-API-KEY - api-key

Note
reduce=host gives aggregation on hostname without pairing the IP resolutions - this gives observation dates for the hostname regardless of IP history.

Note
Wildcards (*) are supported in qname and nsname parameters.

Example request

https://api.silentpush.com/api/v1/merge-api/explore/padns/lookup/uld/a/well*rgo.*/159.45.71.0 \
     ?netmask=20 \
     &network=159.45.170.0/20 \
     &nsname=*.wf.com \
     &nsname=*.wellsfargo.com \
     &nsname=*.markmonitor.com \
     &asname_starts_with=wellsfargo \
     &asn=notin \
     &net=notin \
     &match=neq \
     &last_seen_after=2021-07-01 \
     &limit=2

Example response

{
    "status_code": 200,
    "error": null,
    "response": {
        "records": [
            {
                "answer": "192.187.111.222",
                "asn": 33387,
                "count": 3,
                "domain": "wellxsfargo.com",
                "first_seen": "2021-06-25 20:27:29",
                "last_seen": "2021-07-10 19:56:31",
                "query": "wellxsfargo.com",
                "type": "A"
            },
            {
                "answer": "63.141.242.44",
                "asn": 33387,
                "count": 2,
                "domain": "wellsfaprgo.com",
                "first_seen": "2021-07-07 10:51:36",
                "last_seen": "2021-07-10 19:56:30",
                "query": "wellsfaprgo.com",
                "type": "A"
            }
        ]
    }
}