privacy reconnaissance domains

SecurityTrails Blog · Feb 18 · SecurityTrails team

WHOIS History: The Importance of WHOIS Records in the Infosec Industry

Reading time: 7 minutes

Domain names are collectively one of the most essential components of the Internet. Without them we wouldn’t be able to send an email, connect to social networks and of course, browse any web pages available on the net.

In the early days, not only was registering a domain name a long and tiring process — it wasn’t even available to everyone. Nowadays anyone can register popular top-level domain names such as yourcompany.com, myproject.net, myblog.org and the like for a small amount of money per year.

Whenever you register a domain name, you have to provide a lot of personal details. These details are called “WHOIS information.”

WHOIS information includes standard details such as your email address, telephone number, address, city and country. It also includes your registration, update, expiration date and name servers.

WHOIS records also include technical and administrative contact information, which often matches the personal contact information provided.

This information is published by all domain registration providers, is accessible over the net by everybody, and is regulated and required by the ICANN.

Because domain owners often worry about getting their personal details exposed on the Internet, they use a WHOIS protection service that guardtheir original personal information and covers it by showing generic data instead.

This is a useful technique to avoid getting spammed. However, many cybercriminals use this same WHOIS protection service to hide their real identity as well. Thankfully, WHOIS history can reveal a lot of things by tracking their digital footsteps.

The value of WHOIS records

Why are WHOIS records useful? What can I do with that information? Let’s learn the answers to these questions and more.

WHOIS records:

  • Provide a direct way to get in touch with domain owners
  • Keep all domains related to certain individuals or organizations, establishing the owner’s identity
  • Help law officers and federal government agencies investigate child pornography, xenophobia, hatred, violence, racial discrimination (as seen when we tracked down the most censored racist website on the Internet) and intolerance-based websites
  • Stop illegal online services such as DDoS stresser services (such as WebStresser.org), online drug delivery, prostitution, etc.
  • Stop trademark infringement websites from using copyrighted material and protected brand names
  • Track down spammers who send illegal massive emails
  • Protect customers against online frauds, scammers and Ponzi scheme-based business.
  • Secure trust from future customers and visitors by letting everyone know who’s behind certain websites

What is WHOIS history?

WHOIS history is just that — a historical database of all thepersonal details, name servers, and registration/update/expiration date information we mentioned earlier.

In the same way that passive DNS offers useful information about historical DNS records, WHOIS history lets you grab the entire domain history for popular TLD-based domain names on the Internet.

Having the WHOIS historical records of any domain name lets you analyze the “before and after” changes to perform security investigations against any given domain name, and can even be useful for detecting certain types of cybersecurity attacks.

WHOIS history’s importance in cybersecurity

Scams, phishing, hacking, warez, DDOS and so many other types of cybercrime are always waiting for the perfect chance to hit your online presence. Whether you’re an individual or a web-based company, network threats exist and it’s only a matter of time for them to catch you.

According to several studies, cybercrime will cause around $6 trillion in losses each year by 2021. Your own company could be affected.

Online businesses are always vulnerable to different types of attacks. That’s why knowing how to manipulate both the WHOIS active and WHOIS historical records is an extremely valuable skill within the infosec field.

Infosec professionals can use the power of WHOIS data to avoid future security issues or to conduct cybercrime investigations against domain owners.

DNS, IP and WHOIS tools are possibly the best cybercrime research utilities you can use for researching the digital footprints of any unusual activity.

Trademark and copyright agents also use WHOIS history tools to protect their customers from illegal usage.

Banks and financial companies can also protect their customers thanks to the power of passive DNS and WHOIS history, as we’ve seen in our post Finding Phishing Domains.

Combining WHOIS information with DNS records and IP addresses can yield crucial information about attackers, and even prevent issues from happening to your company.

To recap, WHOIS history can help you:

  • Identify domain owners
  • Correlate domain information with other similar domains
  • Detect WHOIS data changes, including name servers
  • Monitor your brand for illegal usage
  • Investigate domain ownership problems
  • Detect phishing domains

How can I perform a WHOIS history lookup?

There are several ways to fetch WHOIS information from any domain name, but that limits you to seeing current WHOIS values.

If you want to dive deeper and check the historical WHOIS data of any domain name, your best option is our SurfaceBrowser solution, which allows you to fetch all the information you need.

With its easy-to-understand interface and super friendly timeline, you can browse the entire WHOIS history of any given domain name, as shown in the following screenshot:

WHOIS history

SurfaceBrowser also helps you correlate all the possible details associated with any domain name, getting a critical insight about allocated IP addresses, domain information, subdomains, current DNS records, historical DNS, reverse WHOIS, SSL certificates and open ports.

Using the WHOIS History API

Forget about exploring WHOIS records manually—thanks to the WHOIS History API endpoint, automating this type of investigation makes WHOIS record detection really fast. Our engineering team has developed the most advanced and powerful WHOIS API so you can identify information quickly, easily and accurately.

SecurityTrails API access will give you access to relevant historical WHOIS records for the past 10 years.

Want to learn how it works? Check this out:

Using the WHOIS API endpoint is really easy, and can be integrated into any popular programming languages like PHP, Python, Go and Node.js.

You can even launch requests using curl command. See below:

curl --request GET \  
--url https://api.securitytrails.com/v1/history/linkedin.com/whois \  
--header 'apikey:YOUR.API.KEY >

The output will be something like:

{
  "result":{
    "items":[
      {
        "updatedDate":1486043430714,
        "tld":"com",
        "status":[
          "clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
          "clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
          "clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
          "serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
          "serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
          "serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited"
        ],
        "started":1496321354991,
        "registrarName":"MARKMONITOR INC.",
        "nameServers":[
          "DNS1.P09.NSONE.NET",
          "DNS2.P09.NSONE.NET",
          "DNS3.P09.NSONE.NET",
          "DNS4.P09.NSONE.NET",
          "NS1.P43.DYNECT.NET",
          "NS2.P43.DYNECT.NET",
          "NS3.P43.DYNECT.NET",
          "NS4.P43.DYNECT.NET"
        ],
        "expiresDate":1604325030714,
        "ended":1512131429698,
        "domain":"linkedin.com",
        "createdDate":1036245030714,
        "contactEmail":"hostmaster@linkedin.com",
        "contact":[
          {
            "type":"registrant",
            "telephone":"16506873600",
            "street1":"1000 W. Maude Ave,",
            "state":"CA",
            "postalCode":"94085",
            "organization":"LinkedIn Corporation",
            "name":"Host Master",
            "fax":"16506870505",
            "email":"hostmaster@linkedin.com",
            "country":"UNITED STATES",
            "city":"Sunnyvale"
          },
          {
            "type":"administrativeContact",
            "telephone":"16506873600",
            "street1":"1000 W. Maude Ave,",
            "state":"CA",
            "postalCode":"94085",
            "organization":"LinkedIn Corporation",
            "name":"Host Master",
            "fax":"16506870505",
            "email":"hostmaster@linkedin.com",
            "country":"UNITED STATES",
            "city":"Sunnyvale"
          },
          {
            "type":"administrativeContact",
            "telephone":"16506873600",
            "street1":"1000 W. Maude Ave,",
            "state":"CA",
            "postalCode":"94085",
            "organization":"LinkedIn Corporation",
            "name":"Host Master",
            "fax":"16506870505",
            "email":"hostmaster@linkedin.com",
            "country":"UNITED STATES",
            "city":"Sunnyvale"
          },
          {
            "type":"technicalContact",
            "telephone":"16506873600",
            "street1":"1000 W. Maude Ave,",
            "state":"CA",
            "postalCode":"94085",
            "organization":"LinkedIn Corporation",
            "name":"Host Master",
            "fax":"16506870505",
            "email":"hostmaster@linkedin.com",
            "country":"UNITED STATES",
            "city":"Sunnyvale"
          }
        ]
      },
      {
        "updatedDate":1390953000895,
        "tld":"com",
        "status":[
          "clientDeleteProhibited",
          "clientTransferProhibited",
          "clientUpdateProhibited",
          "serverDeleteProhibited",
          "serverTransferProhibited",
          "serverUpdateProhibited"
        ],
        "started":1398986973772,
        "registrarName":"MARKMONITOR INC.",
        "nameServers":[
          "NS1.LINKEDIN.COM",
          "NS1.P43.DYNECT.NET",
          "NS2.LINKEDIN.COM",
          "NS2.P43.DYNECT.NET",
          "NS3.LINKEDIN.COM",
          "NS3.P43.DYNECT.NET",
          "NS4.LINKEDIN.COM",
          "NS4.P43.DYNECT.NET"
        ],
        "expiresDate":1604361000895,
        "ended":1488372117378,
        "domain":"linkedin.com",
        "createdDate":1036281000895,
        "contactEmail":"hostmaster@linkedin.com",
        "contact":[
          {
            "type":"registrant",
            "telephone":"16506873600",
            "street1":"2029 Stierlin Court,",
            "state":"CA",
            "postalCode":"94043",
            "organization":"LinkedIn Corporation",
            "name":"Host Master",
            "fax":"16506870505",
            "email":"hostmaster@linkedin.com",
            "country":"UNITED STATES",
            "city":"Mountain View"
          },
          {
            "type":"administrativeContact",
            "telephone":"16506873600",
            "street1":"2029 Stierlin Court,",
            "state":"CA",
            "postalCode":"94043",
            "organization":"LinkedIn Corporation",
            "name":"Host Master",
            "fax":"16506870505",
            "email":"hostmaster@linkedin.com",
            "country":"UNITED STATES",
            "city":"Mountain View"
          },
          {
            "type":"administrativeContact",
            "telephone":"16506873600",
            "street1":"2029 Stierlin Court,",
            "state":"CA",
            "postalCode":"94043",
            "organization":"LinkedIn Corporation",
            "name":"Host Master",
            "fax":"16506870505",
            "email":"hostmaster@linkedin.com",
            "country":"UNITED STATES",
            "city":"Mountain View"
          },
          {
            "type":"technicalContact",
            "telephone":"16506873600",
            "street1":"2029 Stierlin Court,",
            "state":"CA",
            "postalCode":"94043",
            "organization":"LinkedIn Corporation",
            "name":"Host Master",
            "fax":"16506870505",
            "email":"hostmaster@linkedin.com",
            "country":"UNITED STATES",
            "city":"Mountain View"
          }
        ]
      }
    ]
  }
}

Fetching current and historical WHOIS information using our API is the best and fastest way to enhance your domain security and an excellent tool to integrate with our DNS toolkit to prevent general security issues in your company.

Conclusion

Researching WHOIS records is one of the most effective ways to fetch information about domain name owners.

Before WHOIS history existed, searching and extracting information from WHOIS records could literally take days or even weeks of work.

Now thanks to our amazing WHOIS history database, you can track down any domain name changes, not only at their DNS records but also their personal information, update, expiration date and name server changes.


Grab an API account today—and access our full WHOIS database with more than 3 billion historical WHOIS records!