Introduction

When I first started learning about domain names and how DNS works, I was fortunate enough to be surrounded by coworkers with plenty of experience on both the technical and policy sides of things. I quickly found that learning nuance and paying attention to small details was often the key to understanding what I was looking at. However, in the 10+ years since I started, the tools, landscape, and policies have all changed radically—most of it unfavorably for anyone trying to investigate and understand a domain.

Here is a list of principles, techniques, and advice that I would offer to someone starting out today in OSINT domain name investigations.

1. Don't Waste a Lot of Time on WHOIS

WHOIS used to be an amazing tool for domain name investigations, especially when the question was "Who owns this domain?" and your budget could afford a DomainTools WHOIS History report if some quick Google searching did not yield the answer. When a registrant was too cheap to spend money on privacy services initially, you might have found an unredacted record in a historical database.

Then GDPR happened, and this method died a long, slow death as registrars decided to anonymize almost all records by default. Getting your hands a record like this nowadays is pretty akin to winning a lottery.

Today, WHOIS is primarily useful for four things: the current registrar, the timestamps (created/updated/expires), the domain status, and the nameservers. A historical record from before 2018 might contain old registrant data, but that doesn't mean the domain didn't change ownership since then, potentially rendering that old data a red herring.

Focus on the reliable clues: understand the registrar and the age of the domain. Those two elements alone can provide a lot of context for your next steps.

2. Understand the Registrar and Registry Involved

Each registrar and registry is incredibly unique. Where they're headquartered, how they price their domains, how large their company is, and their reputation within the OSINT and cyber intelligence communities can help paint a picture of how likely they are to be helpful or responsive.

Here is how I quickly build that picture:

• Check TLD Pricing: I use a site like tld-list.com to understand the registration and renewal pricing for a domain's TLD. Extremely cheap or perpetually "on-sale" TLDs often attract more abuse.
• Check Abuse Rankings: I check the public statistics at organizations like Spamhaus and SURBL, which often publish metrics on the most abused TLDs and registrars. A high ranking helps set expectations, meaning if it is ranked higher, I have less of an expectation that an entity involved will be willing to act on the domain or that I may find out who is behind the domain.
• Assess Their Business Model: Is the registrar a high-volume, low-cost entity or a corporate registrar focused on brand protection? The former may have automated but less nuanced abuse processes, while the latter might be more responsive to well-formed complaints.
• Check Their Location: The legal jurisdiction of the registrar and registry matters. A registrar based in a country with weak enforcement or a history of non-cooperation is less likely to act on a simple abuse report.

3. Cloudflare Can Be a Real Showstopper

Credit where it's due: Cloudflare has some cool tech. Unfortunately, bad guys also like cool tech. Because Cloudflare serves as a reverse proxy between a visitor and the actual website server, it can be incredibly difficult to find the true origin IP address.

Sites like Crimeflare (discontinued) used to help with this by using various techniques and maintaining an archive of historical DNS records and certificate data. As time went on, Cloudflare addressed these weaknesses and many of the old tricks (and newer ones) no longer work, making it very hard to unmask an origin server. While seeing many domains using the same Cloudflare nameservers is not a strong link on its own, don't give up entirely. Misconfigurations still happen, and historical DNS records from before a site moved to Cloudflare may exist in passive DNS databases.

4. Become a Junior Cloud and System Administrator

Seriously! Modern services use DNS in so many different ways to connect to each other. Understanding how those systems work, even at a high level, will give you insight into what to look for when investigating a domain.

• Are you seeing .php extensions in the URL? That might suggest a classic LAMP (Linux, Apache, MySQL, PHP) stack, perhaps on a simple VPS.
• Is a CNAME record pointing to s3.amazonaws.com? You know the site is using Amazon S3 for hosting files. That's a potential account you've found.
• Seeing a TXT record that contains "google-site-verification" or "MS="? That domain has been authenticated for use with Google Workspace or Microsoft 365, respectively.
• What is a _sip._tls SRV record? It's used by VOIP phones, suggesting the domain is being used with a phone system somewhere.

You don't have to be an expert sysadmin or programmer. Knowing just enough to "be dangerous" and recognize these technical fingerprints is the goal.

5. Contractual Obligations Are Great, But Don't Bank on Them

Regrettably, "technically correct is the best kind of correct." Most registrars and registries have a contractual obligation with ICANN to investigate and act on reports of DNS abuse like phishing, malware, and botnets. But what does "acting upon" or "mitigating" actually mean? What is the required timeframe?

For some, receiving your report, reading it, and sending a notice to their registrant that they have 120 days to fix the problem might technically fulfill their obligation. A complaint to ICANN might result in a follow-up, but if the registrar can prove they technically complied with the contract, your issue may persist. Hope for proactive partners, but don't be surprised by procedural ones.

6. KISS (Keep It Simple, Stupid)

Even as a technical person, I don't want to read pages of jargon sometimes. When you report abuse, explain the issue in as few words as possible and in plain English, supported by clear proof.

• Structure Your Report: Use a simple, parsable format. A human or a machine should be able to understand it at a glance.
  • Domain: phishing-site.xyz
  • Abuse Type: Phishing
  • Target: Big Name Bank
  • Evidence: [link to screenshot or urlscan.io report OR attach it to the email]
  • Brief Explanation: "This domain is impersonating Big Name Bank to steal user credentials."
• Remove Emotion: Keep your report factual and professional. Ranting or accusing doesn't help your case and can get your report ignored. Let the evidence speak for itself. Also, if you are a lawyer or have the means to follow up through legal channels, even a vague threat of legal action will raise defenses.

7. Your Budget is (Probably) Not Big Enough

One of the hardest parts of modern domain investigation is affordability. Over the years, many of the best commercial data vendors have moved upmarket, becoming increasingly cost-prohibitive for individuals, non-profits, or small shops.

• Acknowledge Reality: The most comprehensive and timely datasets for passive DNS, historical WHOIS, and threat intelligence often come with a hefty price tag.
• Master the Free Tools: The good news is that the free and freemium ecosystem is more powerful than ever. Your strategy should be to master these tools first. Build your initial case using invaluable resources like VirusTotal, URLScan.io, and crt.sh.
• Be Strategic with Paid Lookups: Use the free tools to identify the specific gaps in your knowledge. Only then should you consider using a paid service for a single lookup or a short-term subscription to answer a critical question that the free tools cannot.

8. Redefine "Success" Because It's Not Always a Takedown

As the internet becomes more privacy-focused and as threat actors become more sophisticated, investigating a domain is getting harder. All the factors I've listed above are, in some way, working against you, which means you will frequently hit what feels like a dead end. The key is to redefine what a "win" looks like for your investigation.

• Success is Intelligence Gain: Sometimes, the win isn't taking a site offline. It's simply confirming a link between two actors, identifying a new piece of infrastructure for your own tracking, or enriching the public record on a service like VirusTotal for the next investigator who comes along.
• Collaboration is a Win: Difficult cases are often solved by sharing intelligence (responsibly) with trust groups, CERTs, or other researchers. Your "dead end" might be the missing piece of someone else's puzzle. Contributing to that collective effort is a success.
• A Good Escalation is a Win: Your goal might not be to solve the case yourself. Success can be building a solid, well-documented evidence package to hand over to authorities who have the legal power to get the answers you can't.

9. Set Realistic Expectations: You're (Probably) Not Unmasking the "Threat Actor"

If you read cybersecurity reports, you've seen the term "Threat Actor" countless times, often followed by a fancy, made-up name for a group. You'll notice that it seldom resolves to a real name and face.

Because attribution is incredibly difficult, it is vital to set realistic expectations for your client, your boss, or even yourself from the very beginning. Using a few of the principles above, I can typically deliver an honest analysis early on: "I'm sorry you suffered a BEC attack. While we can map out the infrastructure and report it, only a multi-national law enforcement effort can likely get the subscriber information you're truly looking for." It is news someone who suffered a loss does not want to hear, but it is far more honest than getting their hopes up, taking their money, and crushing him/her even more when you do not deliver.

Instead of focusing on the impossible, frame the successful outcomes around what is possible: gathering enough information to file a detailed report with the appropriate authorities, providing documentation for a cyber-insurance claim, and delivering actionable intelligence to your security team to prevent a similar attack from happening again.

10. Trust, But Verify Everything

No single tool or data point is infallible. Treat every piece of information as a clue, not as absolute truth, until it has been corroborated by a different, independent source.

• Tools Have Biases and Blind Spots: A passive DNS database only knows what its sensors saw. A historical WHOIS provider only knows what it scraped and when. One tool might have a record of an IP address while another one missed it entirely.
• Data Can Be Deceptive: WHOIS data can be intentionally falsified. A domain pointing to a Cloudflare IP tells you nothing about the owner's true infrastructure on its own.
• The Goal is Corroboration: A real defining moment in an investigation often comes when two completely different data types point to the same conclusion. For example, when the historical passive DNS record shows an old IP address, and a reverse image search on the site's old logo leads you to another domain hosted on that same IP. That's when a lead becomes evidence.

11. The Threat Actor Gets a Vote

It's easy to think of an investigation as solving a static puzzle, but it's not. You are dealing with an active, thinking individual or group who is aware you might be looking for them and who will react to your actions.

• Their Defenses Are Intentional: The use of privacy services, proxies, fast-flux DNS, and disposable domains aren't accidents. They are deliberate choices made by threat actors to make your job harder. Understanding these techniques is key to understanding their sophistication.
• Takedowns Trigger Reactions: When you successfully get a domain or server taken down, the actor doesn't just give up. They often have backup domains and servers ready to go. A successful takedown is a disruption, not necessarily a final defeat. Experienced Threat Actors can often be back online a few hours later.
• Your Actions Can Tip Them Off: Be aware that your investigation can leave footprints. Active scanning or repeated, direct queries to a server they control could signal to a sophisticated actor that they have been discovered, prompting them to change their infrastructure or block all of your outright.

12. Document as You Go, Not After

Your memory will fail you and poorly written notes can haunt you. The internet is dynamic to the point of volatile. A website that is online now might be gone in an hour and a DNS record can change in an instant. You must capture evidence at the moment you observe it.

• Screenshot Everything: Get in the habit of taking full-page screenshots of websites, WHOIS records, and tool outputs. Name them descriptively.
• Save Raw Data: Copy and paste the raw text of your dig commands and WHOIS lookups into a notes file. These raw logs are your primary source material. Be sure to note date and time when you do.
• Archive Live Sites: For a critical piece of evidence, like a live phishing page, use a service like URLScan.io. It will take a snapshot of the site, record the resources it loads, and create a permanent, publicly viewable record that you can cite even after the original site is taken down.

Much of the above can be achieved with various tools like Hunchly and Data Miner can help with this, but other tools like Microsoft's OneNote and Obsidian work just as well.