Passive DNS (PADNS) query tools empower security teams, threat hunters, and researchers to analyze DNS data for proactive threat intelligence. By leveraging a global store of passive DNS data, Silent Push enables users to map domain-to-IP relationships, track infrastructure changes, and identify malicious patterns like domain generation algorithms (DGAs), fast-flux techniques, or phishing campaigns. PADNS queries provide granular insights into DNS records, ASNs, IP diversity, domain density, self-hosted domains, SOA records, and hash translations, helping organizations stay ahead of cyber threats.
Key Features
Our PADNS queries support a range of functionalities to uncover attacker infrastructure and assess risks:
Domain-to-IP and ASN Analysis
ASNs for a Domain: Retrieve ASNs associated with a domain’s A records (including subdomains) within the last 30 days to identify hosting networks and detect DGAs or fast-flux techniques.
IP Diversity: Measure the number of unique IPs (A/AAAA records) linked to a domain. Low diversity may indicate malicious infrastructure, while high diversity could suggest CDNs or legitimate networks.
IP Diversity Patterns: Search for patterns in IP diversity with filters for nameservers, domains, ASNs, and timestamps to pinpoint attack vectors.
Use Case: Map attacker-controlled networks or identify legitimate infrastructure.
DNS Record and Domain Density Queries
Forward Lookup: Search passive DNS data for record types (A, AAAA, CNAME, MX, NS, PTR4, PTR6, ANY, SOA, TXT) to link domains to IPs or other records. Filters include timestamps, subdomains, and regular expressions.
Domain Density: Measure unique domains associated with network elements (e.g., IPs, ASNs, nameservers). High density may indicate malicious activity.
Use Case: Uncover relationships between DNS records and detect concentrated malicious activity.
Self-Hosted Domains and SOA Records
Self-Hosted Domains: Identify domains where nameservers are hosted on the same IP as the domain’s A record, often used for phishing or malware.
SOA Records: Monitor DNS zone changes (e.g., serial numbers, refresh values) to detect malicious updates like new subdomains or IP changes.
Use Case: Detect attacker-controlled infrastructure or track DNS configuration changes.
Hash Translation
Translate nshash (nameserver hash) or mxhash (MX server hash) values to server names to track changes in DNS infrastructure, such as domain transfers or new email providers.
Use Case: Identify phishing or other malicious activity linked to nameserver or MX server changes.
Query Saving and Collaboration
Organizational users can save queries in the Private Queries menu for reuse or sharing, streamlining workflows and fostering collaboration.
Integration and Ecosystem
PADNS queries integrate with platforms like Splunk SOAR and Cortex XSOAR, enabling automated enrichment of DNS data and live URL scans. The API provides programmatic access to query results, returning detailed responses like ASN details, IP diversity scores, or SOA record components. For example, querying the domain example.com for IP diversity might return:
IP Diversity Score: 10 unique IPs
ASNs: 13335 (CLOUDFLARENET), 15169 (GOOGLE)
Timeline: IPs and timestamps (first_seen, last_seen)