Flexible search¶
Flexible search uses regular expressions (regex) to discover domains matching patterns. This search mode excels at exploration when you know general patterns but not specific domain names.
Query with IrisQL
IrisQL provides a text-based query language for Advanced Search. Build queries as code, copy/paste them between applications, and toggle between IrisQL and the visual interface.
Access flexible search¶
Flexible search is available in the Passive DNS (pDNS) panel:
- Navigate to the pDNS panel.
- Select the Flexible/Regex scope from the dropdown.
- Enter your regex pattern or keyword.
- Select the record type and query/response direction.
- Run your search.
Use flexible search¶
Use flexible/regex search to discover domains and subdomains based on patterns rather than exact matches.
Use flexible/regex search to:
- Discover domains sharing naming patterns (for example, domains from the same domain generation algorithm campaign).
- Find domains matching brand or keyword patterns across unknown TLDs.
- Find subdomains containing specific terms (for instance, brand names of interest).
- Identify related subdomains when you know the pattern but not the complete Fully Qualified Domain Name (FQDN).
Use standard search when:
- You know specific domains or subdomains to investigate.
- You need complete metadata (timestamps, observation counts, bailiwick information).
For a comprehensive introduction to flexible search concepts and additional examples, consult the Introductory Guide to Flexible Search with DNSDB Scout.
Two-stage investigation workflow¶
Flexible/regex search works best as the first step in a two-stage investigation:
- Discovery stage: Use flexible/regex search to find domains and subdomains matching your patterns.
- Investigation stage: Pivot the discovered domains to standard search, Pivot Engine, or Domain Profile for detailed analysis with complete metadata.
Standard search can't match partial labels or patterns. Flexible/regex search prioritizes broad pattern discovery over detailed metadata, making it ideal for the initial exploration phase.
Simple keyword searches¶
If you're unfamiliar with regex syntax, enter simple keywords directly in the query field with Flexible Search. The system searches for domains containing those terms.
Example: The keyword search for cyber finds domains containing "cyber".
Simple keyword searches work well for discovering domains related to specific brands, topics, or themes without constructing complex regex patterns.
Regex patterns¶
The Flexible/regex scope accepts Farsight Compatible Regular Expressions. Enter regex patterns directly in the query field to match domain names based on complex patterns.
Regex syntax reference¶
.matches any single character.*matches zero or more of the preceding character.+matches one or more of the preceding character.?makes the preceding character optional.^matches the start of the string.$matches the end of the string.[abc]matches any character in the brackets.[^abc]matches any character not in the brackets.{n}matches exactly n occurrences.{n,m}matches between n and m occurrences.(pattern)groups patterns together.|acts as OR between patterns.\escapes special characters.
Example regex searches¶
| Regex pattern | Description |
|---|---|
rolex |
Simple keyword match |
^domaintools\.com$ |
Won't match - missing trailing dot |
^domaintools\.com\.$ |
Matches domaintools.com correctly |
www\..*-paypal- |
Matches domains with "www." followed by any characters, then "-paypal-" |
wel{3,6}sfargo |
Matches "wellsfargo" through "welllllsfargo" |
^drupal-hosting-web-cluster[0-9]+-prod\.uoregon\.edu\.$ |
Matches specific hosting cluster pattern |
^[[:digit:]]{4}\.news\.$ |
Returns domains matching a DGA campaign in the .news TLD, such as 0000.news |
Important considerations¶
- Escape special characters with a backslash:
\.for literal dot. - FQDNs end with a literal dot: All fully qualified domain names in the DNS dataset end with
.which must be included in your regex pattern. For example, use^domaintools\.com\.$not^domaintools\.com$ - Wildcard placement: Wildcard operators (
.,*,+,?, and character classes like[a-z]) must have at least two non-wildcard characters immediately before or after them. Anchors (^and$) count as non-wildcard characters for this purpose. - Regex patterns are case-sensitive by default.
- Complex patterns may take longer to execute.
- Test patterns with simpler queries first to ensure they match as expected.
Note: Flexible/regex search supports only regex mode. If you're familiar with glob mode from other DNSDB tools, glob patterns aren't supported in Iris Investigate's flexible/regex scope. All patterns must use regex syntax.
Interface¶
When you select the flexible/regex scope, the pDNS panel interface adapts to support regex pattern matching:
- The results table differs from a Standard Search by omitting timestamps, observation counts, and bailiwick information.
- The query field displays regex syntax indicators to help you construct valid patterns.
- Visual markers show when the system interprets your input as a regex pattern.
- Hover tooltips provide inline guidance for regex syntax.
Query vs response directions¶
Note: This section uses A records as an example. Other record types are also supported.
pDNS data is available from the query and response 'directions':
- The query direction (also known as rrname) shows historical results for when DNS queries requested the domain and IP addresses were returned.
- The response direction (also known as rdata) shows historical results for when DNS queries requested the IP or IP CIDR (Classless Inter-Domain Routing, a method for specifying IP address ranges) range and domain(s) were returned.
Each query returns either query data or response data, not both. When searching by query with ALL record type selected, you receive more results than requested because the system returns all record types for each matching domain.
The response direction often yields fewer or no records. This is because in DNS A records, domain is the query and the IP address is the response. If you enter a domain with the toggle set to response, or an IP address with the toggle set to query, if no results appear, try flipping the toggle and re-running the search.
Supported record types¶
The following table shows which record types support query and response directions in flexible/regex searches:
| Record type | By query | By response |
|---|---|---|
| ALL | Yes | Yes |
| A | Yes | No |
| AAAA | Yes | No |
| CNAME | Yes | Yes |
| MX | Yes | Yes |
| NS | Yes | Yes |
| SOA | Yes | Yes |
| TXT | Yes | Yes |
A and AAAA records only support searching by query, not by response.
Results¶
Flexible/regex search results differ from standard search results:
- No timestamps.
- No observation counts.
- No bailiwick information.
- Data normalization: The system strips MX record priorities and SOA timing information from the results to match Iris Investigate's data format expectations.
- Export formats: CSV and JSON exports include only the available fields (no timestamp, count, or bailiwick columns), making export files structurally different from standard search exports.
After discovering domains with flexible/regex search, pivot them to standard search (using the right-click menu) to access complete historical data, observation counts, and other metadata.
Performance optimization¶
Flexible/regex searches run slower than standard searches due to pattern matching complexity. Improve performance with these strategies:
- Narrow results by selecting specific Record Type values instead of ALL.
- Apply Time Fencing to limit the search to specific date ranges.
- Start with more specific patterns and broaden only as needed.
- Test complex patterns with simpler queries first.
Data source¶
Note: Flexible/regex searches use only Source D (a pDNS data provider). Unlike standard search, which can query all sources simultaneously, Flexible/Regex searches automatically lock to Source D.
Next steps¶
- pDNS Panel: Complete pDNS documentation.
- Regex Reference: Detailed regex syntax.
- DNSDB Scout Flexible Search Guide: Comprehensive examples.