Perform Passive DNS Scans and Record-Specific Lookups

Updated
  • Updated on Aug 20, 2025
  • Published on Aug 11, 2025
  • 3 minute(s) read
Prev Next

Silent Push provides powerful tools for scanning passive DNS data to uncover insights about domains, IPs, and infrastructure, enabling security teams to detect threats like DNS hijacking, domain squatting, fast-flux, and more. This article guides you through executing passive DNS scans, targeting specific record types, and monitoring results for changes.

Passive DNS Scanning

Passive DNS data provides a historical view of domain-to-IP mappings and related infrastructure, enabling the identification of malicious activity or misconfigurations. Silent Push supports a range of query types, including:

  • Forward lookups: Map domains to IPs or other records (e.g., A, AAAA, CNAME, MX, NS, TXT, SOA).

  • Reverse lookups: Map IPs to domains or other records.

  • Domains hosted on a server: Identify domains on specific nameservers or mailservers.

  • Domains hosted on an IP: Find domains pointing to a specific IP.

  • IP diversity: Track the number of IPs a domain has pointed to over time.

  • Nameserver changes: Monitor changes in nameservers for a domain.

Results appear on the Explore screen, where you can:

  • Monitor observables for changes.

  • Save observables to a feed.

  • Perform further DNS queries on individual data points.

  • Export raw data.

  • Obtain risk scores.

  • Enrich observables.

Wildcard searches are supported at the beginning or end of a domain string (not both).

Supported DNS Record Types

Forward Lookups

  • A: Maps a domain to an IPv4 address (e.g., 192.0.2.1). Useful for identifying servers hosting a domain and detecting DNS hijacking.

  • AAAA: Maps a domain to an IPv6 address (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

  • CNAME: Creates an alias from one domain to another.

  • MX: Identifies mail servers for receiving domain email.

  • NS: Specifies authoritative nameservers for the domain.

  • TXT: Stores text data, often for SPF/DMARC policies or verification.

  • SOA: Defines administrative details for the DNS zone.

  • PTR4: Used in specific forward contexts for IPv4 reverse lookups.

  • Any IPv4/IPv6: Queries across all address types.

Reverse Lookups (map IPs to domains/records)

  • A: Identifies domains linked to an IPv4 address (less common).

  • AAAA: Identifies domains linked to an IPv6 address.

  • PTR4: Maps an IPv4 address to a domain.

  • CNAME: Reveals aliases linked to an IP.

  • MX: Identifies mail servers tied to an IP.

  • TXT: Retrieves text records associated with an IP.

Perform Passive DNS Scans

Silent Push offers multiple methods to initiate scans, depending on your workflow.

Method 1: Via Explore DNS Data

  1. Navigate to DNS Data > Explore Indicator DNS Data.

  2. Enter a domain or IP in the search bar.

  3. Select a lookup type:

  4. Forward (Query): For A, AAAA, CNAME, MX, NS, TXT, SOA, or any IPv4/IPv6.

  5. Reverse (Answer): For A, AAAA, PTR4, CNAME, MX, or TXT.

  6. Click Lookup PADNS.

Method 2: Via Top Navigation

  1. Enter a domain or IP in the search bar in the top navigation pane.

  2. Click Lookup PADNS.

Specific Query Types

Domains Hosted on a Server (Nameservers/Mailservers)

  1. Navigate to DNS Data > Domains Hosted on Server.

  2. Enter the server’s domain name.

  3. Select Server Type (NS or mail server).

  4. (Optional) Specify time frames for when the record was first/last seen or check Last 24 Hours.

  5. Specify a Sort Order for results.

  6. Click Search.

Domains Hosted on an IP (Reverse A)

  1. Navigate to DNS Data > Domains Hosted on IP.

  2. Specify an IP address and optional netmask.

  3. (Optional) Include/exclude subdomains.

  4. (Optional) Specify time frames for when the A record was first/last seen or check Last 24 Hours.

  5. Specify a Sort Order.

  6. Click Search.

IP Diversity of a Domain

  1. Navigate to DNS Data > IP Diversity of Domain.

  2. Specify a domain.

  3. (Optional) Select record type (A/AAAA) and a time period.

  4. Click Search.

Nameserver Changes

  1. Navigate to DNS Data > Domain Name Server Changes.

  2. Specify a domain.

  3. Click Search.

TXT Records

  1. Navigate to Attack Surface Mapping > Digital Footprint for Domain > Domain TXT Records.

  2. Specify a domain.

  3. (Optional) Specify time frames for when the TXT record was first/last seen or check Last 24 Hours.

  4. (Optional) Specify a Sort Order.

  5. Click Search.

Security Use Cases

  • DNS Hijacking/Spoofing: Forward A lookups help verify domain-to-IP mappings, detecting unauthorized redirects.

  • Domain Squatting/Spoofing: Reverse A lookups identify domains on the same IP, revealing potential impersonation.

  • Fast-Flux/DGA Detection: IP diversity queries track rapid IP changes, indicating malicious tactics.

  • Infrastructure Analysis: Nameserver/mailserver queries uncover shared infrastructure linked to threat actors.

  • Configuration Validation: TXT record lookups verify SPF/DMARC settings to ensure email security.

  • Domain Hopping: Nameserver change tracking identifies suspicious infrastructure shifts.

Monitor Results

Monitor scan results to stay updated on changes without manual queries:

  1. On the Explore screen, click the Monitor button (top right).

  2. Specify a Monitor Name and Description.

  3. Click Save.

  4. View monitored queries in Monitors > Monitored Queries.

Monitors run every 24 hours, sending email alerts for new results (filtering/sorting not applied). For sharing monitors, refer to the Silent Push documentation on monitor sharing.

Wildcards are supported for domain searches (e.g., .example.com or example.) but not both simultaneously.
Time frame filters (first/last seen) and sorting options enhance result precision.
Combine queries (e.g., IP diversity with reverse A) for deeper threat analysis.