Introduction

Over the course of my career investigating domain names for everything from Business Email Compromise (BEC) to phishing to enumerating the size of malicious networks, I have developed a bit of a checklist for sources and techniques I use. It isn't perfect, might require access to some unique datasets or tools, and can vary case-by-case, but I have found this approach to provide a fairly complete picture of a domain in terms of how it is being used, who might be behind it, and what else might be related to it.

Table of Contents

• Introduction
• WARNING: Use a Protected Environment
• The Process
  • 1. Start with Current WHOIS Records
  • 2. Go Digging: Collect Current DNS Records
  • 3. Collect Historic WHOIS Records
  • 4. Dig Deeper: Collect Historic & Passive DNS Records
  • 5. Review Your Data
  • 6. PIVOT!
    • 1. Repeat Steps 1-5
    • 2. Perform Reverse Lookups
    • 3. Check Abuse and Reputation Resources
    • 4. Check Services Running on an IP Address
    • 5. WHOIS & Geolocate IP Addresses
    • 6. Check the Internet Archive
    • 7. Review the Site's Page Source
    • 8. Google (or Bing or DuckDuckGo) it!
    • 9. Reverse Analytics & Ad Service Lookups
    • 10. Certificate Transparency (CT) Log Analysis
    • 11. Social Media & Forum Deep Dives
    • 12. Reverse Image & Favicon Searches
  • Drawing the Picture
• Conclusion

WARNING: Use a Protected Environment

Some of the techniques below involve visiting or interacting with a domain name or IP address directly. In these cases, ensure you have the proper operational security (OpSec) in place. This isn't just about privacy; it's about safety.

• Sandboxing: Use a dedicated Virtual Machine (VM), a cloud-based browser isolation service, or other tool to prevent your primary machine from being exposed to anything malicious.
• Anonymity: Use a reputable VPN, Tor, or a proxy service to obfuscate your source IP address. This prevents the target from knowing who you are and where you are investigating from.
• Authorization: Understand the legal boundaries of your investigation. Active scanning or interacting with a site can be interpreted differently depending on your jurisdiction and intent. Always ensure you are operating within legal and ethical lines.

The Process

This is, by no means, a rigid step-by-step guide. Some of this may not be applicable in every case. Heck, I would even discourage following this list sequentially every time, because it might limit your approach or cause you to get hung up on details that don't matter for a particular case. Also, keep in mind: A domain registered a few days ago with no prior registration history will likely yield very little information. A domain registered a decade ago may have an overabundance of data, with some of it being potentially unrelated noise that you'll have to filter.

A spreadsheet and a blank notepad will be your friends in this exercise. Creating columns for hostname, date(s), IP addresses, source, notes, etc., is critical for organizing your findings. For example, I used to set up my spreadsheets so I could easily import them into a visualization tool like i2 Analyst's Notebook. A simple version might look like this:

Entity A	Entity A Type	Date(s)	Entity B	Entity B Type	Source	Notes
diggingdns.com	Hostname	2025-07-15	199.36.158.100	IP Address	dig	A record on 8.8.8.8
www.diggingdns.com	Hostname	2025-07-15	digging-dns-learning.web.app.	Hostname	dig	CNAME on 8.8.8.8
diggingdns.com	Hostname	2025-07-15	Squarespace	Registrar	WHOIS	client.rdap.org lookup

In your head, you should be able to see how this would start drawing a link chart of related entities. This becomes particularly helpful if you are investigating a massive network like a botnet or a spam campaign.

1. Start with Current WHOIS Records

We have to start with the obvious. If the domain is not actively registered, your approach will be very different from one that is. Even though registrant PII is largely gone from public records, there are a handful of fields that remain crucial to an investigation.

First, collect current WHOIS records, ideally from a variety of sources and not just one tool. Propagation delays can result in critical information being out-of-date when only considering one instance. Personally, I use the following:

• CentralOps for a port 43 (legacy) WHOIS record.
• client.rdap.org for an RDAP WHOIS record.
• The registry's official WHOIS lookup tool on their site (e.g., Verisign for .com).
• The registrar's WHOIS lookup tool on their site (e.g., GoDaddy, Namecheap).

NOTE: You do not have to use these web-based tools and can use command-line clients or perform the queries directly, but in theory, the results should be the same. The question of wanting a third party (other than the registrar and registry) to potentially see your lookup is a decision for you to make.

PROTIP: In theory, the registry's record should be treated as the ultimate source of truth, as this is where all updates, including those by the registrar, are reflected first.

Disregarding the registrant information, here are the points to look at:

• Domain Status: Check what you see against the ICANN EPP Status Code definitions. If you see the term hold, it means the domain is not actively resolving. If you see anything about redemptionPeriod or pendingDelete, it typically means the domain is expiring and may become available for re-registration soon.
• Timestamps:
  • Creation Date: Was the domain registered a few days ago? There may not be a lot of history to find.
  • Expiration Date: A one-year registration suggests a lower initial investment. A 5- or 10-year registration suggests the registrant has a more vested, long-term interest in the domain.
  • Updated Date: A recent update can suggest a change to the registrar, registrant info, or nameservers, making it worth chasing historic records.
• Nameservers: Note these down. You may encounter discrepancies when looking at the live DNS records, which can be an interesting clue.

2. Go Digging: Collect Current DNS Records

Next, we want to collect as much information as we can about how the domain currently looks in the DNS. You can do this using the dig command on your computer or a tool like digwebinterface.com. You should collect records from major public resolvers (like 8.8.8.8 or 1.1.1.1) and the domain's authoritative nameservers (found in the WHOIS or NS records). This helps ensure you have a complete picture and can spot any sync issues.

Remember not to run an ANY query. Look up each record type individually.

• SOA: The Start of Authority record. Note the MNAME (primary name server), RNAME (admin email, often generic but sometimes useful), and SERIAL (version number, which sometimes uses a YYYYMMDD format, telling you the date of the last update).
• MX: The mail exchange. Does it point to a major provider like Google or Microsoft, or a custom hostname? If it's custom, you have a new lead to investigate.
• TXT: Look for Sender Policy Framework (SPF) records, which authorize mail servers and can reveal additional IP addresses or domains associated with the entity. Also look for site verification tokens provided by major services like Google, Microsoft, Atlassian, and others.
• CNAME: The canonical name. This is an alias for another hostname and is commonly used when a domain leverages a service like Firebase or Heroku. The target of the CNAME is a strong indicator of a service dependency.
• NS: The authoritative nameservers for the domain. Note them for future lookups and comparisons.
• A / AAAA: The IPv4 and IPv6 addresses the domain points to. Note all of them for future investigation.

PROTIP: A discrepancy between records seen on a public resolver versus an authoritative server can be a valuable, often fleeting, clue about recent changes. Record everything.

3. Collect Historic WHOIS Records

Once you have the current status, go get the historic WHOIS records to build a timeline.

• DomainTools: The oldest and largest WHOIS dataset. Paid access.
• Whoxy.com: A great resource with over a decade of records, offering free lookups.
• WhoisXMLAPI: Limited free lookups, paid required for full history.
• WhoisFreaks: Limited free lookups, paid required for full history.

The biggest thing to look for is gaps in registration. If a domain was registered, deleted, then re-registered, it's highly likely that two different entities owned it, and data from before the gap is probably not related to your current investigation. Also, watch for hard shifts in content, IP addresses, or nameservers, which can signal a change in ownership even without a registration gap.

4. Dig Deeper: Collect Historic & Passive DNS Records

Much like with WHOIS, we want to enumerate how the domain was used in DNS over time.

• Historic DNS records are snapshots of a domain's DNS configuration at a point in time, often collected from zone files or active dig queries.
• Passive DNS records are observations of actual DNS resolutions seen by sensors around the world. The key difference is that passive DNS can give you a much more complete picture of all hostnames (including non-public ones) that were actively being used.

Here are some sources:

• Historic DNS: ViewDNS.info, DNS History, WhoisFreaks, Complete DNS, WhoisXMLAPI.
• Passive DNS: DomainTools DNSDB (The original that got me into DNS, now commercial), SecurityTrails (Freemium), CIRCL (Free account, abuse-focused), VirusTotal (Free, security-focused), Zetalytics (Account required), Spamhaus (B2B/Paid).

5. Review Your Data

Now, take stock of what you've collected.

• Mind the gap! I cannot stress this enough. If a domain clearly didn't exist for a period, data from before that time is likely a red herring.
• You may have periods where you have DNS records but no corresponding WHOIS records, or vice-versa. This is normal. Data sources only know what they captured. Note these gaps in your timeline.
• Check your gut. Does the data make sense? A domain registered a decade ago might have a rich history if heavily used, or very little if it was just parked.
• Once you're happy with the picture, ask yourself:
  • Are there any outliers in the data (e.g., a single unique nameserver among many generic ones)?
  • What appears to be the purpose of the infrastructure (e.g., looks like a mail server, a redirector, a phishing site)?
  • Can I identify any branding or naming conventions across hostnames?
  • What technologies can I fingerprint from the records (e.g., SPF points to Google Workspace, CNAME points to AWS S3)?

6. PIVOT!

Since we seemingly cannot use this word without this reference.

Based on your answers to the questions above, you have likely circled some interesting data points. Here are some ways to pivot on that data.

1. Repeat Steps 1-5

This is the most fundamental pivot. If you find new, interesting hostnames or IP addresses, start the process over for those entities. Record everything.

2. Perform Reverse Lookups

Passive and historic DNS providers typically allow you to enter a data point like an IP address, mailserver, or nameserver and see all other hostnames they have seen using it. Record these in your spreadsheet to draw out your link chart. Be aware:

• Reverse lookups that return hundreds or thousands of records are likely on massive shared infrastructure (e.g., nameservers like domaincontrol.com for GoDaddy). These are often dead ends for finding related actors.
• Remember that DNS records are deliberate and seldom coincidental. If multiple providers show only a handful of domains all using the same unique IP address during the same time window, the likelihood of them being related is very high.
• This is an art. Reverse lookups can rapidly turn into rabbit holes. Stay focused on your objective.

3. Check Abuse and Reputation Resources

If you suspect the domain is malicious, check it against various abuse resources.

• VirusTotal: Check the domain, its IPs, and any discovered subdomains. Look at the Relations tab for infrastructure pivots and the Community tab for comments from other researchers.
• URLScan.io: Submit the URL (safely!) to get a detailed report of what the page looks like, the resources it loads, and outbound links. This can reveal redirect chains and fingerprint the site's technology.
• Blocklists: Check reputation services like Spamhaus or SURBL. A listing is a strong indicator of malicious activity.
• Threat Intelligence Platforms: Services like abuse.ch (with projects like MalwareBazaar and ThreatFox) and Any.Run (an interactive sandbox) can tell you if the domain or its IPs are associated with specific malware campaigns.

4. Check Services Running on an IP Address

Use internet-wide scanners like Shodan.io and Censys.io to see what services are running on an IP address. Seeing port 80/443 (HTTP/S) open is expected for a website, but what about non-standard ports? Or a vulnerable version of SSH on port 22? Also, inspect the SSL/TLS certificates on the IP. The certificate's subject name or alternative names can reveal other hostnames hosted there.

5. WHOIS & Geolocate IP Addresses

This is a step I usually save for later because it typically provides color rather than actionable leads. Knowing an IP is hosted by a major cloud provider in a certain country is useful context but often doesn't change the immediate next steps. My go-to tool is iplocation.net, but others like ipgeolocation.io and MaxMind are also popular.

6. Check the Internet Archive

I have the URI https://web.archive.org/web/*/example.com/* committed to memory. This is the fastest way to get all data the Internet Archive has for a domain. It's not always reliable, but sometimes it captures the one nugget you need. Look for historical site content, old contact email addresses in the footer, or clues about when a legitimate site might have been compromised or repurposed.

7. Review the Site's Page Source

Assuming the domain serves a website, view its source code (right-click -> View Page Source) from within a safe environment. It can be hard to read, but look for:

• Comments: Developers sometimes leave notes, usernames, or old code in HTML comments (``) or JavaScript comments (// or /* ... */).
• Analytics & Tracking IDs: Look for unique codes like a Google Analytics ID (UA-XXXXXXX or G-XXXXXXXXXX). These can be used as a fingerprint to find other sites belonging to the same owner.
• Social Media Links & Usernames: These can provide direct links to other online profiles.
• Unique File Names or Paths: A uniquely named JavaScript file or CSS theme might be reused across an actor's other websites.

8. Google (or Bing or DuckDuckGo) it!

Never underestimate a simple search. Performing queries on the domain, related hostnames, or unique artifacts you've found (like an analytics ID or an email address) can reveal cached content, discussions in forums, research by others, or new relationships you hadn't considered. Use caution, though: evaluate sources for trustworthiness and always browse from your protected environment.

9. Reverse Analytics & Ad Service Lookups

Threat actors, just like legitimate businesses, want to know if their sites are getting traffic. As such, they'll often use services like Google Analytics. The beauty of this is that they are often lazy and will use the same unique tracking ID (like G-XXXXXXXXXX or the older UA-XXXXXXX-Y) across their entire portfolio of malicious sites. This ID becomes a perfect fingerprint that ties their disparate infrastructure together.

View the page source of the target website and do a simple Ctrl+F for "UA-" or "G-". With that ID, you can use tools like dnslytics.com or hackertarget.com that have indexed these codes to perform a "reverse lookup." It's surprising how often a single Analytics ID can unravel an entire network of fraudulent sites.

10. Certificate Transparency (CT) Log Analysis

This can be a great way of finding subdomains that were previously unknown and related domains in different top level domains (TLDs). To be trusted by your browser, every SSL/TLS certificate that gets issued has to be published in public logs. We can search these logs to see every certificate ever created for our target domain.

If you want to review the subdomains, using a tool like crt.sh, the key is to search not just for example.com, but for %.example.com. The % acts as a wildcard. This query will return a list of all publicly logged certificates, which often includes subdomains you would never guess, like dev-testing.example.com or vpn-internal.example.com. If the administrator did not create a wildcard certificate, you would get a list back of all the unique subdomains of a domain using the certificate.

When reviewing the certificate, you may see hostnames like example.com, example.net, and example.org all listed on the same cert, making it highly likely that the same individual or entity is administering them.

11. Social Media & Forum Deep Dives

Google is great, but it doesn't index everything, especially the conversational, ephemeral parts of the web. Sometimes the best clues come from seeing what real people are saying about a domain.

Simply take the domain name and search for it directly on platforms like Twitter/X, Reddit (especially in relevant subreddits), and sometimes even Telegram channels if the context fits. Facebook provides a search of ads that might even be of use.

12. Reverse Image & Favicon Searches

This technique works on a simple premise: people are lazy and reuse assets. This is especially true for threat actors running large-scale campaigns.

There are two methods of doing this:

• The Simple Method: I'll grab the logo or any unique product images from the target site and run them through a reverse image search like Google Images or TinEye. This can sometimes uncover other sites using the exact same (often stolen) branding.
• The Advanced Method: This one is a personal favorite for its surprising effectiveness. I find the hash of the site's favicon.ico file (the little icon that appears in your browser tab). Then, I use a service like Shodan to search for that specific favicon hash using the http.favicon.hash filter. It's an incredibly effective way to find cloned login pages or other related infrastructure where the actor was too lazy to even change the icon.

Drawing the Picture

If you do not have a link chart software available to you, you can use Gephi to get started quickly. Check out how to import the spreadsheet using their guide or video.

Conclusion

This is not comprehensive by any means. I have other posts on other techniques not mentioned here and there are some things that I will only share over beer. The goal is to give you a method, sources, and techniques that have worked for me time and time again in all of the investigations that I have done over the years.