Silent Push enables security teams to query self-hosted domains and Start of Authority (SOA) records to detect malicious infrastructure and track DNS changes. These tools help identify domains controlled by threat actors and monitor zone updates that may indicate suspicious activity.
Search for Self-Hosted Domains
Self-hosted domains, where nameservers are in the same domain and hosted on the same IP as the domain’s A record (active within 30 days), are often used for phishing or malware.
Navigate to Advanced Query Builder > PADNS Queries > Search Self-hosted Domains.
Specify a domain or wildcard pattern (or use a regular expression to override).
Optional parameters:
domain_asnum or nssrv_asnum for ASNs of domain/nameserver A records.
asname, asname_starts_with, or asname_contains to filter by AS names.
asn_match options: Any, All, Limit (with min/max).
Include with_metadata.
Limit or skip results.
Click Search.
Use Case: Detect attacker-controlled infrastructure for phishing or malware distribution.
Scan for SOA Records
SOA records provide administrative details about a DNS zone, such as primary nameservers and timing parameters. Monitoring changes helps detect malicious updates.
Navigate to Advanced Query Builder > PADNS Queries > Search SOA Records.
Specify a domain (wildcards supported) or regular expression.
Optional parameters:
ns or mbox (nameserver/mbox component, with “self” option for domain matching).
serial, refresh, retry, expire, or TTL values (exact or min/max).
Timestamps: first_seen_before/after, last_seen_before/after, as_of.
Sort by columns (last_seen, first_seen, query, answer) in asc or desc order.
Limit, skip, or restrict results per domain with limit_by_n.
Click Search.
Use Case: Track DNS zone changes to identify new subdomains or IP updates linked to malicious activity.
Save Queries
Organizational users can save queries for future use or sharing.
Specify query parameters.
Click Save Query.
Provide a Name and Description for context.
Click Save. The query appears in Private Queries.