Contents x
      Get information on the number of IPs pointed to over time
      • 16 May 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      Contents

      Get information on the number of IPs pointed to over time

      • Updated on 16 May 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      Article Summary

      An IP diversity score is a measure of the number of unique IP addresses associated with a particular domain or set of domains.

      The score is calculated by analyzing the A/AAAA records associated with the domain(s) and counting the number of unique IP addresses that are used.

      Threat actors often use a small number of IP addresses to host multiple domains, making it easier to set up and manage their infrastructure.

      A low IP diversity score may indicate that a domain is part of a larger network of malicious activity.

      A high IP diversity score can indicate that a domain is part of a larger, legitimate network, and is less likely to be associated with malicious activities. However, a high IP diversity score can also indicate the use of content delivery networks (CDNs) or other infrastructure that may be more difficult to track and analyze.

      1. Navigate to Advanced Query Builder > PADNS Queries > IP diversity lookup

      2. Select "A" or "AAAA" as a query type

      3. Specify the record's name in query

      4. Use the window field to use records with a "last_seen" more recently than the specified number of days

      5. Select timeline to include details of IPs, ASNs, first_seen and last_seen for each domain

      6. Choose a scope for exact or near match results by query type. live is automatically set when timeline=1

        1. For A records:
          1. host - Exact match (default when qtype=a)
          2. domain - Match all hosts in this domain (domain extracted from {query})
          3. subdomain - Match all hosts at this subdomain level (i.e. *.{query})
          4. live - Calculate values from live data instead of pre-aggregated values (also switches to exact match only)
        2. For AAAA records, live is the only mode that's supported

      Saving queries

      Organizational users are able to save individual queries ran from Advanced Query Builder, and store them in the Private Queries menu for future analysis, or to share with their organization.

      1. Specify the query parameters

      2. Click Save Query

      3. Give your query a Name

      4. Specify a Description to add more context

      5. Click Save

      Was this article helpful?
      What's Next