Skip to content

DNS Registry Field Reference

May 22, 2025

Netlas maintains a dedicated DNS Registry Data Collection that provides structured information about domain name records. This collection supports a wide range of use cases, including reconnaissance, attack surface mapping, threat intelligence, and historical analysis.

Property Description
Document Each document represents a single domain name.
Unique Identifier The domain field serves as the unique identifier for each document.
Default Fields No default fields are defined for this collection.

Addressing

The addressing fields are used to identify the domain name and its hierarchical structure.

The domain field is the main identifier, while the level and zone fields provide additional context about the domain's position in the DNS hierarchy.

domain

The domain name associated with the record.

Field type: WILDCARD

Examples: example.com, subdomain.example.com

Usage in queries:

  • Paypal.com subdomains: 

    domain:*.paypal.com

  • Possible VoIP services: 

    domain:voip.* AND level:3

  • Paypal domains in every TLDs: 

    domain:paypal.* level:2

  • The same using regex: 

    domain:/paypal\.[a-z0-9-]*/

  • Paypal domains and subdomains in every TLDs (regex): 

    domain:/(.*\.)?paypal\.[a-z0-9-]*/

level

The hierarchical level of the domain in the DNS structure, where the zone is considered the first level.

Field type: #SHORT

Examples: 2, 3

zone

The TLD where the domain is registered.

Field type: TTEXT

Examples: com, org, net

Usage in queries:

zone:(cn OR hk OR tw)

Type Of Records

The type of records fields are used to specify the different types of DNS records associated with the domain. Each field represents a specific type of record, such as A, CNAME, MX, NS, and TXT.

a

The IPv4 address records for the domain.

Field type: IPIP

Examples: 1.1.1.1, 8.8.8.8

Usage in queries:

a:1.1.1.1

a:"163.114.132.0/24"

aaaa

The IPv6 address records for the domain.

Field type: IPIP

Examples:

  • 2606:4700:4700::1111
  • 2001:4860:4860::8888
  • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

cname

The Canonical Name (CNAME) records for the domain.

Field type: WILDCARD

Examples: cname.example.com

mx

The Mail Exchange (MX) records for the domain.

Field type: WILDCARD

Examples: mail.example.com

Usage in queries:

mx:*.zoho.com

mx:*.google.com zone:cn

ns

The Name Server (NS) records for the domain.

Field type: WILDCARD

Examples: ns.example.com

Usage in queries:

ns:*.gov

ns:gordon.ns.cloudflare.com ns:faye.ns.cloudflare.com

txt

The Text (TXT) records for the domain.

Field type: TTEXT

Examples:

  • v=spf1 include:_spf.example.com ~all
  • google-site-verification=example

Usage in queries:

!txt:"v=spf1" mx:*

Service Fields

Various service fields that provide additional information about the document.

@timestamp

The timestamp when the document was indexed. This time is usually very close to the scan time, with only a few hours difference.

Field type: DATE

Examples:

  • 2023-01-01T12:00:00Z
  • 2023-10-15T08:30:00Z

Usage in queries:

@timestamp:>=now-30d

@timestamp:[now-7d TO now]

@timestamp:[2024-01-01 TO 2024-12-31]

last_updated

The timestamp indicating when the document was last updated. This field is no longer in use as a new index is created for each scan cycle.

Field type: DATE