Documentation Index

Fetch the complete documentation index at: https://help.silentpush.com/llms.txt

Use this file to discover all available pages before exploring further.

Zetalytics Tab

  • Published on Jun 24, 2026
  • 2 minute(s) read
Prev Next

A domain or one of its subdomains resolves to different IPs across global resolvers. Is it a one-off lookup or part of persistent, high-volume DNS activity that could indicate C2 infrastructure, fast-flux, or reconnaissance? Manual checks across passive DNS providers are slow and fragmented.

The Zetalytics tab surfaces detailed passive DNS intelligence from Zetalytics, one of the largest collections of DNS query and resolution data (trillions of records). It shows historical and recent mappings between queried domain names (including subdomains) and the IP addresses they resolved to, complete with first/last-seen timestamps and country-level geolocation for the IPs.

Available for Domains (and subdomains when viewed in Domain Wide View, where applicable), this tab complements Farsight (aggregated A-record sightings), PADNS (current live resolutions), and Infrastructure Variance (ASN/IP churn).

Zetalytics exposes the “who looked up what and when” layer, helping defenders spot emerging subdomains, resolve patterns of abuse, and attribute infrastructure to campaigns.

How It Works

Zetalytics ingests real-world DNS traffic and stores query/response pairs. Silent Push queries this dataset in real time and presents a clean, sortable table. After the requested UI updates, the view displays only the most relevant fields in a consistent order that matches SPQL tables elsewhere in the platform.

Generate a Set of Results

  1. Search any domain in Total View.

  2. Click the Zetalytics tab.

  3. Adjust Response Size (formerly “Request Size”) to control result volume (pagination appears automatically above 100 results).

  4. The table loads instantly with the new column layout.

Example

Querying silentpush.com in Zetalytics shows recent resolutions such as:

  • userpilot.silentpush.com143.204.142.79 (United States)

  • api.threatcheck.silentpush.com87.99.137.66 (Netherlands)

First Seen and Last Seen dates reveal activity windows (some as recent as the same day), while Country flags highlight geographic spread.

Fields

  • Domain (renamed from Q Name): The exact domain or subdomain that was queried (e.g., userpilot.silentpush.com).

  • IP (renamed from Value IP): The IPv4 address the domain resolved to at query time.

  • First Seen (renamed from Date): The earliest date this exact query/response pair was observed.

  • Last Seen: The most recent date the same mapping appeared in Zetalytics data.

  • Country (renamed from GeoIP): Flag + country of the resolved IP (derived from MaxMind-style geolocation).

Use Case

SOC analysts use Zetalytics to map newly registered subdomains used in phishing kits or C2 beacons. Threat hunters correlate short-lived high-volume resolutions with Threat Feeds listings or WHOIS changes to confirm actor infrastructure churn.

Work with Zetalytics Results

  • Pivot directly on any Domain or IP (all fields that exist in WHOIS-style searches are pivotable).

  • Customize columns and save the view layout (order is now consistent with SPQL).

  • Export CSV for offline correlation or import into SIEM.

  • Save interesting IPs/domains to a monitoring list for ongoing alerts.

Tips

  • Set Response Size to 500+ when hunting broad subdomain activity.

  • Sort by First Seen descending to surface brand-new infrastructure.

  • Cross-reference with Farsight for aggregated sighting counts and PADNS for live confirmation.

  • Use the Country column to quickly spot unusual geo clusters (e.g., sudden Eastern European resolutions).

Related articles