Scan for SOA records

  • Updated on May 16, 2023
  • Published on Apr 12, 2023
  • 2 minute(s) read

Start of Authority (SOA) records are a type of DNS record that provides information about the DNS zone in which a particular domain is located.

The SOA record contains administrative information about the domain, including the primary nameserver for the zone, the email address of the responsible person, and various timing parameters that control how often DNS information is refreshed and updated.

SOA records provide a way to track changes and updates to DNS information. When a change is made to a DNS zone, the SOA serial number is incremented, indicating that a change has occurred. This allows other DNS servers to detect and propagate the change, ensuring that all DNS information is consistent and up-to-date.

By monitoring SOA records, security teams can detect changes to DNS information that may indicate malicious activity, such as the creation of new subdomains or changes to the IP addresses associated with a domain.

Silent Push provides a facility for organizations to search SOA records by individual components, including (but not limited to):

  • Serial number
  • Refresh value
  • Timestamps
  • Expiry values
  • Retry values

  1. Navigate to Advanced Query Builder > PADNS Queries > Search SOA Records

  2. Specify a domain (wildcards are supported)

  3. Specify an re2 regular expression (this overrides domain parameter)

  4. Select with_metadata to include metadata in the response

  5. Use ns to specify a name or wildcard pattern of a nameserver component

    1. Self: Only show results where domain of nameserver component matches name of the record's domain

  6. Use mbox to specify a name or wildcard pattern of an mbox component

    1. Self: Only show results where the domain of the mbox component matches name of the record's domain

  7. Specify a serial number (exact match)

  8. Specify a serial number's minimum and maximum values

  9. Specify a refresh value

  10. Specify a refresh value's minimum and maximum values

  11. Specify a retry value

  12. Specify a retry value's minimum and maximum values

  13. Specify an expire value

  14. Specify an expire value's minimum and maximum values

  15. Specify a minimum and maximum TTL value

  16. Specify a series of timestamps (yyyy-mm-dd):

    1. first_seen_after
    2. first_seen_before
    3. last_seen_after
    4. last_seen_before

  17. Specify a date in as_of to only return records where the as_of timestamp equivalent is between the first_seen and the last_seen timestamp

  18. Use sort to order results in a specific order (column/order)

    1. Columns: last_seen, first_seen, query, answer
    2. Order: asc, desc
    3. Separate multiple values with semi-colon
    4. This functions may be repeated with different column names to produce a nested sorting effect

  19. Choose to limit the number of results returned

  20. Choose to skip a specified number of results

  21. Specify a value in limit_by_n to restrict the number of results to return for each domain. This parameter can be used in combination with the sort field to order results by domain name.

  22. Click Search

Saving queries

Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.

  1. Specify the query parameters

  2. Click Save Query

  3. Give your query a Name

  4. Specify a Description to add more context

  5. Click Save