- 16 May 2023
- 1 Minute to read
- Print
- DarkLight
Scan for nameserver changes
- Updated on 16 May 2023
- 1 Minute to read
- Print
- DarkLight
Malicious actors often use tactics such as domain hopping or domain fronting to evade detection and propagate malicious activity. By changing the nameservers associated with a domain, threat groups are able toy evade detection and continue their activities under a different set of infrastructure.
By monitoring changes to nameservers associated with a domain, security teams can pinpoint connections between different domains and nameservers, and identify previously unknown threat actors or infrastructure based on different patterns of behaviour.
Additionaly, if a domain is repeatedly changing nameservers or associated infrastructure, it may be an indication that the domain's security controls or practices are inadequate, and that the domain is vulnerable to attack.
Silent Push allows you to search for all nameserver changes associated with a specfic domain:
Navigate to
Advanced Query Builder > Domain Queries > Nameserver Changes
Specify a
Domain
(Optional) Click
Summary
to return a set of summarized resultsClick
Search
(Optional) Click
Explore Table View
to visualise the results and lookup passive DNS data for returned nameservers
Saving queries
Organizational users are able to save individual queries ran from Advanced Query Builder
, and store them in the Private Queries
menu for future analysis, or to share with their organization.
Specify the query parameters
Click
Save Query
Give your query a
Name
Specify a
Description
to add more contextClick
Save