Contents x
      Scan for SOA records
      • 16 May 2023
      • 2 Minutes to read
      • Print
      • Dark
        Light
      Contents

      Scan for SOA records

      • Updated on 16 May 2023
      • 2 Minutes to read
      • Print
      • Dark
        Light
      Article summary

      Start of Authority (SOA) records are a type of DNS record that provides information about the DNS zone in which a particular domain is located.

      The SOA record contains administrative information about the domain, including the primary nameserver for the zone, the email address of the responsible person, and various timing parameters that control how often DNS information is refreshed and updated.

      SOA records provide a way to track changes and updates to DNS information. When a change is made to a DNS zone, the SOA serial number is incremented, indicating that a change has occurred. This allows other DNS servers to detect and propagate the change, ensuring that all DNS information is consistent and up-to-date.

      By monitoring SOA records, security teams can detect changes to DNS information that may indicate malicious activity, such as the creation of new subdomains or changes to the IP addresses associated with a domain.

      Silent Push provides a facility for organizations to search SOA records by individual components, including (but not limited to):

      • Serial number
      • Refresh value
      • Timestamps
      • Expiry values
      • Retry values

      1. Navigate to Advanced Query Builder > PADNS Queries > Search SOA Records

      2. Specify a domain (wildcards are supported)

      3. Specify an re2 regular expression (this overrides domain parameter)

      4. Select with_metadata to include metadata in the response

      5. Use ns to specify a name or wildcard pattern of a nameserver component

        1. Self: Only show results where domain of nameserver component matches name of the record's domain

      6. Use mbox to specify a name or wildcard pattern of an mbox component

        1. Self: Only show results where the domain of the mbox component matches name of the record's domain

      7. Specify a serial number (exact match)

      8. Specify a serial number's minimum and maximum values

      9. Specify a refresh value

      10. Specify a refresh value's minimum and maximum values

      11. Specify a retry value

      12. Specify a retry value's minimum and maximum values

      13. Specify an expire value

      14. Specify an expire value's minimum and maximum values

      15. Specify a minimum and maximum TTL value

      16. Specify a series of timestamps (yyyy-mm-dd):

        1. first_seen_after
        2. first_seen_before
        3. last_seen_after
        4. last_seen_before

      17. Specify a date in as_of to only return records where the as_of timestamp equivalent is between the first_seen and the last_seen timestamp

      18. Use sort to order results in a specific order (column/order)

        1. Columns: last_seen, first_seen, query, answer
        2. Order: asc, desc
        3. Separate multiple values with semi-colon
        4. This functions may be repeated with different column names to produce a nested sorting effect

      19. Choose to limit the number of results returned

      20. Choose to skip a specified number of results

      21. Specify a value in limit_by_n to restrict the number of results to return for each domain. This parameter can be used in combination with the sort field to order results by domain name.

      22. Click Search

      Saving queries

      Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.

      1. Specify the query parameters

      2. Click Save Query

      3. Give your query a Name

      4. Specify a Description to add more context

      5. Click Save

      Was this article helpful?
      What's Next