hunting-for-dns-based-persistence

star 3

Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis.

oyi77 By oyi77 schedule Updated 6/8/2026
play_arrow Run Skill in Manus View GitHub

name: hunting-for-dns-based-persistence description: Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse, and unauthorized zone modifications using passive DNS databases, SecurityTrails API, and DNS audit log analysis. domain: cybersecurity subdomain: threat-hunting tags:

  • dns
  • persistence
  • threat-hunting
  • passive-dns
  • dns-hijacking
  • subdomain-takeover
  • securitytrails version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
  • DE.CM-01
  • DE.AE-02
  • DE.AE-07
  • ID.RA-05

Hunting for DNS-based Persistence

Overview

Attackers establish DNS-based persistence by hijacking DNS records, creating unauthorized subdomains, abusing wildcard DNS entries, or modifying NS delegations to redirect traffic through attacker-controlled infrastructure. These techniques survive credential rotations, endpoint reimaging, and traditional remediation because DNS changes persist independently of compromised hosts. Detection requires passive DNS historical analysis, zone file auditing, and monitoring for unauthorized record modifications. This skill covers hunting methodologies using SecurityTrails passive DNS API, DNS audit logs from Route53/Azure DNS/Cloudflare, and zone transfer analysis.

When to Use

  • When investigating security incidents that require hunting for dns based persistence
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • SecurityTrails API key (free tier provides 50 queries/month)
  • Access to DNS provider audit logs (Route53, Azure DNS, Cloudflare, or on-premises DNS)
  • Python 3.9+ with requests library
  • DNS zone file access or AXFR capability for internal zones
  • Historical DNS baseline for comparison

Steps

  1. Scope the task — define objectives, boundaries, and success criteria
  2. Gather information — collect all necessary data and context before proceeding
  3. Execute the core workflow — follow the domain-specific steps methodically
  4. Validate results — verify outputs against expected outcomes or baselines
  5. Document findings — record results, anomalies, and recommendations

Step 1: Baseline DNS Records

Export current DNS zone records and establish baseline for all authorized A, AAAA, CNAME, MX, NS, and TXT records.

Step 2: Query Passive DNS History

Use SecurityTrails API to retrieve historical DNS records and identify unauthorized changes, new subdomains, and CNAME records pointing to decommissioned services (dangling CNAMEs).

Step 3: Detect Anomalies

Compare current records against baseline to identify unauthorized modifications, wildcard records that resolve all subdomains, NS delegation changes, and MX record hijacking.

Step 4: Investigate Findings

Correlate DNS anomalies with threat intelligence feeds, check resolution targets against known malicious infrastructure, and validate record ownership.

Expected Output

JSON report listing DNS anomalies with record type, historical changes, risk severity, and remediation recommendations for each finding.

When NOT to Use

  • You're responding to a known incident (use IR skills)
  • Task is about analyzing confirmed malware (use analyzing-* skills)
  • You need to implement detection rules (use implementing-* skills)
  • Task is about vulnerability scanning (use scanning tools)
  • You don't have access to endpoint/network data
  • Task requires compliance auditing (use auditing-* skills)

Red Flags

  • Performing actions without explicit written authorization from the asset owner
  • Testing against production systems without a defined scope and rules of engagement
  • Acting on threat intelligence without validating source reliability
  • Sharing classified or sensitive indicators without proper handling procedures
  • Alerting threat actors to detection capabilities through visible response actions

Verification

  • All steps executed successfully against a test environment before production use
  • Output documented with screenshots or logs demonstrating expected behavior
  • Results validated against known-good baselines or reference implementations
  • Documentation complete enough for another analyst to reproduce findings
Install via CLI
npx skills add https://github.com/oyi77/1ai-skills --skill hunting-for-dns-based-persistence
Repository Details
star Stars 3
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
oyi77
oyi77 Explore all skills →