Spamhaus Technology and abuse.ch Logo
Solutions
Data
Email & Network
Cyber Threat Intelligence
Resources
About
Back to Previous Page

Blog

Pivoting through DNS

Posted on
July 08, 2026
Author
The Deteqtive Team
Read time
2 mins

Introduction

Introduction

Most investigations don't start with a complete picture. They start with a single indicator — one suspicious domain, one IP from a log line, one lookalike of your brand. The work is turning that one data point into the whole campaign. That's pivoting, and it's what passive DNS is built for.

Two directions, one dataset

Deteqtive exposes the same body of DNS observations from two angles:

  • Forward search (by domain): every IP address a domain has resolved to. Start with evil-login.example and see where it has pointed over time.
  • Reverse search (by IP, CIDR, or hostname): every domain that has resolved to a given address or network. Start with 198.51.100.20 and see everything hosted alongside it.

Each answer becomes the next question. A domain resolves to an IP; that IP hosts forty other domains; three of them are lookalikes of the brand you're protecting. You've gone from one indicator to a cluster without leaving the dataset.

A typical pivot

  1. A phishing report names secure-acme-login.com.
  2. Forward search shows it resolved to 203.0.113.40 last week.
  3. Reverse search on 203.0.113.40 returns a dozen siblings — acme-verify.com, acme-account.net, and others following the same naming pattern.
  4. Reverse search on the wider 203.0.113.0/24 block exposes the rest of the hosting footprint, including domains that haven't been reported yet.

In four steps you've mapped infrastructure that a single takedown would have missed.

Finding the lookalikes you don't know about

Pivoting assumes you already have an indicator. Often you don't — you just have a brand to protect. Word-match and fuzzy search close that gap: search for everything that resembles acme.com and surface typosquats and homoglyph domains before they're used. Each hit is a fresh starting point to pivot from.

Why threat-focused data matters here

Pivoting only works if the neighbourhood is informative. Deteqtive's corpus is weighted toward malicious and abusive infrastructure, so when you pivot onto an IP or a netblock, the domains you find are far more likely to be relevant to an investigation than noise. The signal is in the data, not buried under it.

Where to go next

  • Try the patterns above interactively in the app, or script them against the REST API.
  • Working with AI agents? The same forward, reverse, and fuzzy searches are available over MCP, so an agent can pivot on your behalf.