Contents x
      Scan for nameserver changes
      • 16 May 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      Contents

      Scan for nameserver changes

      • Updated on 16 May 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      Article Summary

      Malicious actors often use tactics such as domain hopping or domain fronting to evade detection and propagate malicious activity. By changing the nameservers associated with a domain, threat groups are able toy evade detection and continue their activities under a different set of infrastructure.

      By monitoring changes to nameservers associated with a domain, security teams can pinpoint connections between different domains and nameservers, and identify previously unknown threat actors or infrastructure based on different patterns of behaviour.

      Additionaly, if a domain is repeatedly changing nameservers or associated infrastructure, it may be an indication that the domain's security controls or practices are inadequate, and that the domain is vulnerable to attack.

      Silent Push allows you to search for all nameserver changes associated with a specfic domain:

      1. Navigate to Advanced Query Builder > Domain Queries > Nameserver Changes

      2. Specify a Domain

      3. (Optional) Click Summary to return a set of summarized results

      4. Click Search

      5. (Optional) Click Explore Table View to visualise the results and lookup passive DNS data for returned nameservers

      Saving queries

      Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.

      1. Specify the query parameters

      2. Click Save Query

      3. Give your query a Name

      4. Specify a Description to add more context

      5. Click Save

      Was this article helpful?
      What's Next