Search for nameserver changes

  • Updated on May 16, 2023
  • Published on Apr 3, 2023
  • 2 minute(s) read
Prev Next

Malicious actors often use tactics such as domain hopping or domain fronting to evade detection and propagate malicious activity. By changing the nameservers associated with a domain, threat groups are able toy evade detection and continue their activities under a different set of infrastructure.

By monitoring changes to nameservers associated with a domain, security teams can pinpoint connections between different domains and nameservers, and identify previously unknown threat actors or infrastructure based on different patterns of behaviour.

Additionally, if a domain is repeatedly changing nameservers or associated infrastructure, it may be an indication that the domain's security controls or practices are inadequate, and that the domain is vulnerable to attack.

Use Silent Push to search for nameserver changes to and from nameservers within a time window, and/or for domains registered with specific registrar.

As per the below instructions, only the from_ns and to_ns fields are mandatory. All other parameters are optional.

  1. Navigate to Advanced Query Builder > Domain Queries > search nameserver changes

  2. Specify a nameserver in the from_ns and to_ns fields, to search for domains that have moved from and to a specific nameserver

  3. Specify a regular expression in domain_regex

  4. Specify a date in change_date_before to return changes on or after this date, or the last 30 days if not set

  5. Specify a date in change_date_after to return changes on or after this date, or the last 30 days if not set

  6. Check ns_changes_only to ignore WHOIS data unless specific WHOS options are set

  7. Specify a date in whois_date_before to only include domains registered on or after this date, or the last 30 days if not set

  8. Specify a date in whois_date_after to only include domains registered on or after this date, or the last 30 days if not set

  9. Specify a registrar to include only domains registered using the given registrar

  10. Specify an email to only include domains registered using a given email address

  11. Adjust the order button to sort change dates in descending or ascending order

  12. Specify a value to limit the number of results returned

  13. Specify a value to skip a certain number of results

  14. Click Search

Saving queries

Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.

  1. Specify the query parameters

  2. Click Save Query

  3. Give your query a Name

  4. Specify a Description to add more context

  5. Click Save