---
title: "Perform DNS and Record-Specific Lookups"
slug: "perform-passive-dns-scans-and-record-specific-lookups"
tags: ["Domain TXT Records", "TXT"]
updated: 2025-11-21T19:53:55Z
published: 2025-11-21T19:53:55Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.silentpush.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Perform DNS and Record-Specific Lookups

DNS Data serves as an entry point for targeted PADNS queries. Results from these queries can be pivoted into [Total View](/v1/docs/total-view) for aggregated analysis, visualizations, and Indicator of Future Attack (IOFA) enrichment. This article guides you through executing passive DNS scans, targeting specific record types, and monitoring results for changes.

## DNS Lookups

DNS data provides a historical view of domain-to-IP mappings and related infrastructure, enabling the identification of malicious activity or misconfigurations. Silent Push supports a range of query types, including:

- **Forward lookups**: Map domains to IPs or other records (e.g., A, AAAA, CNAME, MX, NS, TXT, SOA).
- **Reverse lookups**: Map IPs to domains or other records.
- **Domains hosted on a server**: Identify domains on specific nameservers or mailservers.
- **Domains hosted on an IP**: Find domains pointing to a specific IP.
- **IP diversity**: Track the number of IPs a domain has pointed to over time.
- **Nameserver Changes**: Monitor changes to the nameservers for a domain.

These queries form the foundation for the PADNS tab in [Total View](/v1/docs/total-view), where results are automatically aggregated for comprehensive insights. Results appear on the Explore screen, where you can:

- Monitor observables for changes.
- Save observables to a feed.
- Perform further DNS queries on individual data points.
- Export raw data.
- Obtain risk scores.
- Enrich observables.

Enhanced pivoting enables one-click jumps from Explore results to [Total View](/v1/docs/total-view) tabs, such as [Infrastructure Variance](/v1/docs/infrastructure-variance). Wildcard searches are supported at the beginning or end of a domain string (not both).

## Supported DNS Record Types

### **Forward Lookups**

- **A**: Maps a domain to an IPv4 address (e.g., 192.0.2.1). Useful for identifying servers hosting a domain and detecting DNS hijacking.
- **AAAA**: Maps a domain to an IPv6 address (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).
- **CNAME**: Creates an alias from one domain to another.
- **MX**: Identifies mail servers for receiving domain email.
- **NS**: Specifies authoritative nameservers for the domain.
- **TXT**: Stores text data, often for SPF/DMARC policies or verification.
- **SOA**: Defines administrative details for the DNS zone.
- **PTR4**: Used in specific forward contexts for IPv4 reverse lookups.
- **Any IPv4/IPv6**: Queries across all address types.

### Reverse Lookups (map IPs to domains/records)

- **A**: Identifies domains linked to an IPv4 address (less common).
- **AAAA**: Identifies domains linked to an IPv6 address.
- **PTR4**: Maps an IPv4 address to a domain.
- **CNAME**: Reveals aliases linked to an IP.
- **MX**: Identifies mail servers tied to an IP.
- **TXT**: Retrieves text records associated with an IP.

These record types directly populate the breakdowns in Total View’s [PADNS tab](/v1/docs/domain-wide-view-extend-enrichments-to-subdomains), allowing for seamless correlation.

## Perform DNS Lookups

Silent Push provides multiple methods for initiating scans, tailored to your specific workflow.

### Method 1: Via DNS Data

1. From the left navigation menu, select **DNS Data > Explore Indicator DNS Data**.
2. Enter a domain or IP in the search bar.
3. Select a lookup type:
4. **Forward (Query)**: For A, AAAA, CNAME, MX, NS, TXT, SOA, or any IPv4/IPv6.
5. **Reverse (Answer)**: For A, AAAA, PTR4, CNAME, MX, or TXT.
6. Click**Lookup PADNS**.

### Method 2: Via Top Navigation

1. Enter a domain or IP in the search bar in the top navigation pane.
2. Click **Lookup PADNS**.

## Specific Query Types

### IPs Hosting a Domain

1. From the left navigation menu, select **DNS Data > IPs Hosting a Domain**.
2. Click **Create New +** to initiate a new query, or select an existing query, e.g., **IPs hosting hubspot**.
3. (Optional) Apply time filters (e.g., last 30 days) and sort by risk score or date.
4. Click **Lookup PADNS** to retrieve results.

### **Domains Hosted on a Server (Nameservers/Mailservers)**

1. From the left navigation menu, select **DNS Data > Domains Hosted on Server**.
2. Enter the server’s domain name.
3. Select **Server Type** (NS or mail server).
4. (Optional) Specify time frames for when the record was first/last seen or check **Last 24 Hours**.
5. Specify a **Sort Order**for results.
6. Click **Search**.

### Domains Hosted on an IP (Reverse A)

1. From the left navigation menu, select **DNS Data > Domains Hosted on IP**.
2. Specify an IP address and optional netmask.
3. (Optional) Include/exclude subdomains.
4. (Optional) Specify time frames for when the A record was first/last seen or check L**ast 24 Hours**.
5. Specify a **Sort Order**.
6. Click **Search**.

### IP Diversity of a Domain

1. From the left navigation menu, select **DNS Data > IP Diversity of Domain**.
2. Specify a domain.
3. (Optional) Select record type (A/AAAA) and a time period.
4. Click **Search**.

Pivoting from here to **Total View** enhances detection of outliers with IOFATM scoring.

### Nameserver Changes

1. From the left navigation menu, select **DNS Data > Domain Name Server Changes**.
2. Specify a domain.
3. Click **Search**.

### TXT Records

1. From the left navigation menu, select **Attack Surface Mapping > Digital Footprint for Domain > Domain TXT Records**.
2. Specify a domain.
3. (Optional) Specify time frames for when the TXT record was first/last seen or check **Last 24 Hours**.
4. (Optional) Specify a **Sort Order**.
5. Click **Search**.

## Security Use Cases

- **DNS Hijacking/Spoofing**: Forward A lookups help verify domain-to-IP mappings and detect unauthorized redirects.
- **Domain Squatting/Spoofing**: Reverse A lookups identify domains on the same IP, revealing potential impersonation.
- **Fast-Flux/DGA Detection**: IP diversity queries track rapid IP changes, indicating malicious tactics.
- **Infrastructure Analysis**: Name server and mail server queries reveal shared infrastructure linked to threat actors.
- **Configuration Validation**: TXT record lookups verify SPF/DMARC settings to ensure email security.
- **Domain Hopping**: Nameserver change tracking identifies suspicious infrastructure shifts.

## Monitor Results

Monitor scan results to stay updated on changes without manual queries:

1. On the **Explore** screen, click the **Monitor** button (top right).
2. Specify a **Monitor Name**and **Description**.
3. Click **Save**.
4. View monitored queries in **Monitors > Monitored Queries**.

Monitors run every 24 hours, sending email alerts for new results (filtering/sorting not applied). For sharing monitors, refer to the Silent Push documentation on monitor sharing.

The DNS Data navigation is designed to complement Total View. Queries like ‘[IPs Hosting a Domain](/v1/docs/perform-passive-dns-scans-and-record-specific-lookups#passive-dns-scanning)’ generate raw PADNS records that populate Total View's tabs (e.g., A records in PADNS). To tie them together, run a DNS Data query, then use blue pivots on results to open Total View for risk scoring and threat feeds.

> Wildcards are supported for domain searches (e.g., .example.com or example.) but not both simultaneously. Time-frame filters (first/last seen) and sorting options enhance the precision of results. Combine queries (e.g., IP diversity with reverse A) for deeper threat analysis.

A predictive threat signal derived from Silent Push’s analysis of attacker behavior and infrastructure, enabling proactive mitigation of potential cyberattacks before they occur.