Query DNS Records and Domain Density

Updated
  • Updated on Aug 15, 2025
  • Published on Aug 15, 2025
  • 1 minute(s) read
Prev Next

Passive DNS (PADNS) queries enable security teams to analyze DNS records and domain density to uncover attacker infrastructure, establish links between records, and identify malicious patterns. Forward lookups and domain density analysis provide granular insights into DNS record types and their associations.

Search Passive DNS Data (Forward Lookup)

Search Silent Push’s passive DNS data to link records to global attacker infrastructure using various record types.

  1. Navigate to Advanced Query Builder > PADNS Queries > Forward lookup.

  2. Select a record type (qtype): A, AAAA, CNAME, MX, NS, PTR4, PTR6, ANY, SOA, TXT.

  3. Specify a record name in qname.

  4. Optional parameters:

    1. For PTR4 or PTR6, specify a netmask.

    2. For A or AAAA, include/exclude subdomains.

    3. Include/exclude metadata.

    4. Use a regular expression (re2) to override qname.

    5. Set timestamps: first_seen_before/after, last_seen_before/after, as_of.

    6. Sort results by columns (last_seen, first_seen, query, answer) in asc or desc order.

    7. Limit or skip results.

  5. Click Search.

Use Case: Map relationships between domains and IPs to track phishing or malware infrastructure.

Search Passive DNS Data (Reverse Lookup)

Reverse lookups map IPs or other DNS records back to associated domains or records, using data from trusted third parties to identify attacker infrastructure.

  1. Navigate to Advanced Query Builder > PADNS Queries > Reverse lookup.

  2. Select a record type (qtype): A, AAAA, CNAME, MX, NS, PTR4, PTR6, ANY, SOA, TXT, MXHASH, NSHASH, SOAHASH, TXTHASH.

  3. Specify a record name in qname (e.g., an IP address for A/AAAA or a hash for MXHASH/NSHASH).

  4. Optional parameters:

    1. For PTR4 or PTR6, specify a netmask.

    2. For A or AAAA, include/exclude subdomains.

    3. Include/exclude metadata.

    4. Use a regular expression (re2) to override qname.

    5. Set timestamps: first_seen_before/after, last_seen_before/after, as_of.

    6. Sort results by columns (last_seen, first_seen, query, answer) in asc or desc order (use semi-colons for nested sorting).

    7. Limit or skip results.

  5. Click Search.

Use Case: Identify domains associated with a specific IP or hash to uncover attacker-controlled infrastructure.

Establish Domain Density

Domain density measures the number of unique domains associated with a network element (e.g., DNS record, IP, ASN). High density may indicate malicious activity.

  1. Navigate to Advanced Query Builder > PADNS Queries > density lookup.

  2. Select a query type: Nameserver, MX server, Nameserver hash, MX hash, IPv4 address, IPv6 address, ASN.

  3. Enter a query value.

  4. Choose a scope:

    1. For IPv4: IP (exact match), subnet, subnet_ips, asn, asn_subnets.

    2. For ASN: asn, asn_subnets.

    3. For NSSRV or MXSRV: host (exact match), domain, subdomain.

  5. Click Search.

Use Case: Identify patterns of malicious activity by analyzing domain concentration on specific IPs or ASNs.

Save Queries

Organizational users can save queries for future use or sharing.

  1. Specify query parameters.

  2. Click Save Query.

  3. Provide a Name and Description for context.

  4. Click Save. The query appears in Private Queries.