Perform DNS and Record-Specific Lookups

Prev Next

DNS Data serves as an entry point for targeted PADNS queries. Results from these queries can be pivoted into Total View for aggregated analysis, visualizations, and Indicator of Future Attack (IOFA) enrichment. This article guides you through executing passive DNS scans, targeting specific record types, and monitoring results for changes.

DNS Lookups

DNS data provides a historical view of domain-to-IP mappings and related infrastructure, enabling the identification of malicious activity or misconfigurations. Silent Push supports a range of query types, including:

  • Forward lookups: Map domains to IPs or other records (e.g., A, AAAA, CNAME, MX, NS, TXT, SOA).

  • Reverse lookups: Map IPs to domains or other records.

  • Domains hosted on a server: Identify domains on specific nameservers or mailservers.

  • Domains hosted on an IP: Find domains pointing to a specific IP.

  • IP diversity: Track the number of IPs a domain has pointed to over time.

  • Nameserver Changes: Monitor changes to the nameservers for a domain.

These queries form the foundation for the PADNS tab in Total View, where results are automatically aggregated for comprehensive insights. Results appear on the Explore screen, where you can:

  • Monitor observables for changes.

  • Save observables to a feed.

  • Perform further DNS queries on individual data points.

  • Export raw data.

  • Obtain risk scores.

  • Enrich observables.

Enhanced pivoting enables one-click jumps from Explore results to Total View tabs, such as Infrastructure Variance. Wildcard searches are supported at the beginning or end of a domain string (not both).

Supported DNS Record Types

Forward Lookups

  • A: Maps a domain to an IPv4 address (e.g., 192.0.2.1). Useful for identifying servers hosting a domain and detecting DNS hijacking.

  • AAAA: Maps a domain to an IPv6 address (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334).

  • CNAME: Creates an alias from one domain to another.

  • MX: Identifies mail servers for receiving domain email.

  • NS: Specifies authoritative nameservers for the domain.

  • TXT: Stores text data, often for SPF/DMARC policies or verification.

  • SOA: Defines administrative details for the DNS zone.

  • PTR4: Used in specific forward contexts for IPv4 reverse lookups.

  • Any IPv4/IPv6: Queries across all address types.

Reverse Lookups (map IPs to domains/records)

  • A: Identifies domains linked to an IPv4 address (less common).

  • AAAA: Identifies domains linked to an IPv6 address.

  • PTR4: Maps an IPv4 address to a domain.

  • CNAME: Reveals aliases linked to an IP.

  • MX: Identifies mail servers tied to an IP.

  • TXT: Retrieves text records associated with an IP.

These record types directly populate the breakdowns in Total View’s PADNS tab, allowing for seamless correlation.

Perform DNS Lookups

Silent Push provides multiple methods for initiating scans, tailored to your specific workflow.

Method 1: Via DNS Data

  1. From the left navigation menu, select DNS Data > Explore Indicator DNS Data.

  2. Enter a domain or IP in the search bar.

  3. Select a lookup type:

  4. Forward (Query): For A, AAAA, CNAME, MX, NS, TXT, SOA, or any IPv4/IPv6.

  5. Reverse (Answer): For A, AAAA, PTR4, CNAME, MX, or TXT.

  6. Click Lookup PADNS.

Method 2: Via Top Navigation

  1. Enter a domain or IP in the search bar in the top navigation pane.

  2. Click Lookup PADNS.

Specific Query Types

IPs Hosting a Domain

  1. From the left navigation menu, select DNS Data > IPs Hosting a Domain.

  2. Click Create New + to initiate a new query, or select an existing query, e.g., IPs hosting hubspot.

  3. (Optional) Apply time filters (e.g., last 30 days) and sort by risk score or date.

  4. Click Lookup PADNS to retrieve results.

Domains Hosted on a Server (Nameservers/Mailservers)

  1. From the left navigation menu, select DNS Data > Domains Hosted on Server.

  2. Enter the server’s domain name.

  3. Select Server Type (NS or mail server).

  4. (Optional) Specify time frames for when the record was first/last seen or check Last 24 Hours.

  5. Specify a Sort Order for results.

  6. Click Search.

Domains Hosted on an IP (Reverse A)

  1. From the left navigation menu, select DNS Data > Domains Hosted on IP.

  2. Specify an IP address and optional netmask.

  3. (Optional) Include/exclude subdomains.

  4. (Optional) Specify time frames for when the A record was first/last seen or check Last 24 Hours.

  5. Specify a Sort Order.

  6. Click Search.

IP Diversity of a Domain

  1. From the left navigation menu, select DNS Data > IP Diversity of Domain.

  2. Specify a domain.

  3. (Optional) Select record type (A/AAAA) and a time period.

  4. Click Search.

Pivoting from here to Total View enhances detection of outliers with IOFATM scoring.

Nameserver Changes

  1. From the left navigation menu, select DNS Data > Domain Name Server Changes.

  2. Specify a domain.

  3. Click Search.

TXT Records

  1. From the left navigation menu, select Attack Surface Mapping > Digital Footprint for Domain > Domain TXT Records.

  2. Specify a domain.

  3. (Optional) Specify time frames for when the TXT record was first/last seen or check Last 24 Hours.

  4. (Optional) Specify a Sort Order.

  5. Click Search.

Security Use Cases

  • DNS Hijacking/Spoofing: Forward A lookups help verify domain-to-IP mappings, detecting unauthorized redirects.

  • Domain Squatting/Spoofing: Reverse A lookups identify domains on the same IP, revealing potential impersonation.

  • Fast-Flux/DGA Detection: IP diversity queries track rapid IP changes, indicating malicious tactics.

  • Infrastructure Analysis: Name server and mail server queries reveal shared infrastructure linked to threat actors.

  • Configuration Validation: TXT record lookups verify SPF/DMARC settings to ensure email security.

  • Domain Hopping: Nameserver change tracking identifies suspicious infrastructure shifts.

Monitor Results

Monitor scan results to stay updated on changes without manual queries:

  1. On the Explore screen, click the Monitor button (top right).

  2. Specify a Monitor Name and Description.

  3. Click Save.

  4. View monitored queries in Monitors > Monitored Queries.

Monitors run every 24 hours, sending email alerts for new results (filtering/sorting not applied). For sharing monitors, refer to the Silent Push documentation on monitor sharing.

The DNS Data navigation is designed to complement Total View. Queries like ‘IPs Hosting a Domain’ generate raw PADNS records that populate Total View's tabs (e.g., A records in PADNS). To tie them together, run a DNS Data query, then use blue pivots on results to open Total View for risk scoring and threat feeds.

Wildcards are supported for domain searches (e.g., .example.com or example.) but not both simultaneously.
Time frame filters (first/last seen) and sorting options enhance result precision.
Combine queries (e.g., IP diversity with reverse A) for deeper threat analysis.