tips tools reconnaissance

SecurityTrails Blog · Mar 19 · SecurityTrails team

How to Check the Domain Owner History

Reading time: 4 minutes

Last week, we published an interesting topic about newly registered domain names, and how monitoring these could help the infosec industry investigate malicious incidents such as malware, viruses and phishing campaigns.

Today we’ll continue with helpful domain intelligence tips to shed light on researching malicious incidents. Let’s learn what domain owner history is, and how to fetch the full owner history of any domain name on the Internet.

What is the domain owner history?

The “domain owner history” is also known simply as the ‘WHOIS history.’ It’s basically every WHOIS record for the domain name you’re investigating, ever since the first time it was registered.

While nowadays a lot of domain names use the privacy feature to protect their data, there was a time when these domains were unprotected, when they exposed their data to the public.

How is domain owner history useful?

When you’re running any OSINT research, one of the top most important things to investigate will be the domain names and IPs associated with the organization or individual you’re targeting.

And there are a couple of scenarios in which you’ll find the domain owner history is quite useful, such as:

  • Cyber crime investigation: With the rise of fake propaganda, scams, phishing, viruses and malware campaigns all over the Internet, having a way to check out the real owner of a domain name is advantageous, as is analyzing how the administrative and technical information of the domain name has changed over time.
    Cybercrime investigators can easily detect changes in names, telephones, addresses, cities, countries, associated emails and assigned name servers; then compare this data with critical variables from the digital crimes they’re investigating.

  • Trademark and service mark monitoring: If you’re running a trademark protection service that includes monitoring, dealing with this specific type of cyber crime will be much easier. Detecting issues in one of your protected brands and having the ability to investigate the involved domains gives you total freedom to stop any kind of abuse—including cybersquatting.

How can I perform a domain owner history lookup?

In the same way that we often perform an IP lookup, domain names also allow any user to perform a WHOIS lookup from web-based interfaces, the terminal or even API services.

While the traditional WHOIS lookup doesn’t let you go back in time to fetch domain ownership historical records, here at SecurityTrails we offer two ways to detect those old WHOIS records easily.

WHOIS history API endpoint

Our Cybersecurity API lets you use several endpoints for infosec research, and one of those is the historical WHOIS endpoint that offers the possibility of fetching historical WHOIS data from any domain name.

To use it, you just need to perform a query from any HTTP-based client. For this example, we’ll use the traditional curl command from the Linux terminal:

curl --request GET \
--url https://api.securitytrails.com/v1/history/linkedin.com/whois \
--header 'apikey: your.api.key'

So, we took linkedin.com, performed a domain ownership history lookup and this was the result:

WHOIS history API endpoint

As you can see, our API testing platform presents the results in a way that lets you click on any of the violet arrows to explore historical domain ownership records in a simple and easy way. If you’re using a terminal, all the data will be displayed by default.

SurfaceBrowser™ WhoWas Smart WHOIS History

With SurfaceBrowser™, one of our top enterprise security tools, it’s super easy to check the domain owner history of any domain name you desire. It’s even easier than using our API, as it doesn’t require any API key configuration.

Just login into our console area, then go to https://securitytrails.com/app/sb to fetch the almighty superpowers of SurfaceBrowser™.

In this case, we clicked on the WHOIS option, and the first thing you’ll notice is a historical WHOIS timeline that lets you jump back and forth between all the WHOIS changes we’ve detected thus far:

WHOIS timeline

You can click on any of those dates to see exactly what information has changed. Our domain ownership history includes:

Domain Registrar Information, where you can fetch registrar name, approx domain age, original register date, last update and expiration date for that time in particular. And the same goes for the WHOIS Registrant data, including: name, organization, street, country, email and telephone.

Domain Registrar Information

Other important historical WHOIS data is contained in Admin and Technical Contacts, which includes name, organization, street, country, email and telephone as well:

Admin and Technical Contacts

If you need to combine this WHOIS historical information with even more domain and IP intelligence data, SurfaceBrowser™ is the correct and complete OSINT toolkit for boosting your infosec research. You’ll get data that includes:

  • Current DNS
  • DNS history
  • Subdomains
  • Reverse DNS
  • Complete IP blocks
  • SSL certificates
  • Associated domains
  • Open ports
  • User-agents per IP
SurfaceBrowser OSINT tool

As you can see, having the ability to fetch the full domain owner history enables companies and individuals to boost their cybersecurity investigations against any malicious domain name.

Fortunately, here at SecurityTrails we have the tools you need to magnify your domain intelligence immediately.

Sign up for a Prototyper API plan to access the WHOIS history endpoint right away. Or, if you prefer a centralized threat intelligence web-based platform, you can also book a SurfaceBrowser™ demo with our sales team, and get ready to perform all your domain ownership historical lookups in seconds!