Archive for the ‘Whois’ Category

The Monday Media Wrap Up

January 25th, 2016 Comments off

Articles from January 16-22

Dive into this past week’s security news:

4 essentials to creating a world-class threat intelligence program
Michael Kassner | TechRepublic | Jan. 22, 2016
Businesses, large and small, are changing tactics when it comes to information security. Rather than spend hard-earned cash attempting to cover every base defensively, company officials are developing information security postures based on the outcome of risk assessments. The purpose of risk assessment, according to the 2012 Guide for Conducting Risk Assessments, is to inform decision makers and support their responses by identifying relevant threats to organizations, vulnerabilities both internal and external, likelihood that harm will occur, and impact to organizations resulting from a successful attack. Any successful threat intelligence program requires an operational and strategic component, involving expert analysis of how current and future threats will affect the business and its assets.

Got threat intelligence data? The value will vary
Fahmida Rashid | InfoWorld | Jan. 21, 2016
Former analyst Rick Holland speaks with Fahmida Rashid about the future of threat intelligence and his new role at threat intel provider Digital Shadows. Organizations are critical of threat intelligence because they don’t see how the indicators they receive are relevant to their organizations. The feeds contain details that aren’t for their geographic location, don’t match their industry, and don’t fit their threat models. They are “more indicators of exhaustion that overwhelm users,” Holland said. “The first piece of threat intelligence is getting the funnel to give better data, to enrich what you are getting,” Holland said. The second is figuring out how to use the information being provided — which is where APIs come in.

Deloitte 2016 Trends Study Finds Analytics Essential for IT Success
Chris Preimesberger | eWEEK | Jan. 22, 2016
eWEEK editor Chris Preimesberger reports on the third annual Deloitte Trends Study, which identifies several trends. The first trend involves security: Enterprises are no longer satisfied with simply “locking the doors” where cyber-security is concerned and are instead going on the offensive by employing more predictive approaches to threat intelligence and monitoring. This, along with other trends detailed in the 2016 report, is driving significant changes in the types of investments the C-suite is making to support business priorities.

FireEye to grow intelligence capabilities with iSight Partners deal
Jeremy Kirk | CSO | Jan. 21, 2016
FireEye has acquired Texas-based iSight Partners for $200 million, a deal that executives say will give FireEye stronger intelligence on cybercriminal and hacking groups before they strike. Intelligence capabilities made iSight attractive, said Travis Reese, president of FireEye’s Mandiant subsidiary. While FireEye and Mandiant study how attacks affect victims, iSight collects intelligence about the attackers.


Not the Boots I Was Looking For

December 22nd, 2015 Comments off

Guest Blogger Shawnda Potvin (a DomainTools Account Specialist) shares a personal experience with Iris 

I was recently on a mission to treat myself to a pair of boots. I went to a website which I thought was an authentic UGG® boots website, as both websites were identical. After I purchased the UGG boots and received a confirmation email, I realized the boots were shipped from outside of the U.S with an expected delivery of 10-15 days (which was a little disconcerting). The boots were advertised at $75 with an additional shipping cost of $15 (for a grand total of $90). Although this price seemed very low, I was not overly troubled as it seemed consistent with a Black Friday deal. My shopping experience took a negative turn when I checked the balance on my card and noticed a charge from Singapore in the amount of $103, which did not reflect the advertised price.

Ugg WebsiteA month later I received the boots, which looked nothing like the ones I ordered and were cheaply made. There were now too many red flags to ignore, so I made contact with an UGG representative through the official website to see if was a distributor of theirs, which they were not. They took note of my experience and forwarded the information to their fraud department. To protect my own credit, I was also sure to cancel my credit card.

Being the curious person that I am, I went to work the next day and started researching this Wild Ox Promotions. I used a product that DomainTools offers, called Iris, which is intuitive and can access a wealth of domain and DNS information. I was able to put into the search box, which then brought up two other emails associated with this domain. I then used the Whois History tool to see where this domain was registered to see if it matched the address on my billing statement. Iris allowed me to see inaccurate information in their Whois record. As an example, the registrar identified their state as the United States (which, last time I checked, is a country). They registered their origin country as AR, which is the country code for Argentina. These two examples gave me enough information to reach out to ICANN and report this particular Whois record. Finally, I continued my investigation by expanding my search to the registrants IPs. I was able to locate 8 other domains hosted on that IP address, providing me with even more context and the ability to monitor these data points moving forward (see the domains below):Ugg on Iris


It’s hard to believe the lengths that people go through to replicate a company’s website and deliver counterfeit products. The bottom line is that you do not have to be a cybersecurity expert to use DomainTools’ Iris Platform. With minimal time and effort, I was able to search for a single domain and locate several other domains associated with a single IP address. I was then able to pinpoint eight other websites selling counterfeit products.

Note: Since I did this research, some of these websites have been removed. And I’m apparently not the only one who has fallen victim to this UGG boots scam. An article in the UK publication This is Money describes a similar set of circumstances.



Hacktoberfest 2015

October 21st, 2015 Comments off

Hack Days has become a quarterly tradition here at DomainTools, and although the “hack days” concept is now considered as cliche as owning a ping pong table and kegerator in the tech industry (check and check), there are a few things that make our own take unique. For example, rather than solely empowering our technical teams to participate, we also encourage cross-functional collaboration. These multi-faceted projects enable both sides of the house to innovate. As a result, many hack days projects evolve into DomainTools products and in-house improvements.

To sweeten the pot, our CTO Bruce always comes up with a few quick project categories that we vote on as hack days comes to a close. Now, as serious as we are about stopping cybercrime, we also enjoy the goofier things in life. Below are the category winning projects. A big thank you to all our team members who participated in hack days; we are already looking forward to our Q4 projects!

unnamed (2)Testament to Your Leadership Award: “Nomad“ Mobile App – Kirk Leon Guerrero and Ray Henriksen

Engineers Kirk and Ray were interested in finding ways to grab DNS data on hard to reach domains (not included in public root zone files). Their solution was to pair Google’s Places API with our own Whois database for a powerful (and fun) mobile app. The app itself uses an algorithm that finds local businesses listed on Google’s Places and generates domain name guesses by deleting unusual characters (like dashes) from the business name and then appending the TLD (.com, .de, .bike, etc). The app compares the resulting domains with our Whois database to quickly capture the creation of new domains. This project won the “testament to your leadership award” because it was bold, challenging, and labor-intensive but not entirely without flaws.

Screen Shot 2015-10-15 at 3.54.08 PM

Illustration: Joaquim Marques Nielsen (

Best Newbie Hack: DNS Video Game Explainer – Josh Hou and Spencer Carstens

Explaining DNS can be a daunting and sometimes impossible task depending on your audience. Front-end developers Josh and Spencer took a stab at making DNS education fun and memorable with their DNS-themed video game. The game’s hero (let’s call him Bob) is on a tireless quest to resolve domain names, seeking help from upstream counterparts in his efforts to get reliable answers. Will Irene know the answer or will Bob have to go all the way to the Root? Every game comes out differently!

Best in Show: Office Morale Booster – Greg Haas Greg

As Greg is our expert in the sometimes-dry field of accounting, we give him a lot of credit for his creative pranks and culinary experiments (curried tuna with bacon and guacamole, anyone?). This quarter, Greg decided to present a subject that would have a noticeable and direct impact on office morale, and be a great complement to our kegerator and ping-pong table. Naturally, it is a fro-yo machine. Greg walked through a variety of financing options ranging from resource-reallocation to an employee funded option to make this dream a reality. (The real joke here is that our morale is already fantastic…not that anyone would object to a fro-yo machine, mind you.) Please feel free to reach out if you are interested in sharing this clever and refreshing presentation at your own office (


Google Hates ICANN’s Attempt to Eliminate Whois Privacy Calling it “Impractical & Ineffective

July 7th, 2015 Comments off
  Google filed it’s comment on the whois privacy issue with ICANN today. Google  seems to hate the proposal of the ICANN working group to prohibit  commercial domain registrants from using proxy or privacy services calling it unfair to small businesses and individuals. Google even cites it’s own Charleston Road Registry an example of how […]
Categories: External Articles, google, ICANN, Whois Tags:

Profiling malicious domains in The DomainTools Report

May 5th, 2015 Comments off

DT-report-iconAt the 2015 RSA Conference in San Francisco, we released the first edition of The DomainTools Report: A Profile of Malicious Domains.

In this report, we investigate the attributes of malicious domains connected to malware, spam, phishing, and botnets. Using an aggregation of blacklists and DomainTools’ data, we compared the bad actors’ preferences for TLDs, email domains, privacy providers, and hosting locations. We identified some key trends that should help to profile cybercriminal behavior.

Why did we create this report?

Much of the malicious activity on the Internet is classified and tracked in domain blacklists and reputation scores. But these do little to profile and predict cybercrime to proactively protect against domains that have yet to exhibit illicit behavior. Malicious actors often behave in a predictable manner, and the more thoroughly we profile that behavior, the better we can defend against them. With that purpose in mind, we analyzed domains from several popular blacklists. This report uses DomainTools’ leading Whois and DNS data to define attributes of those malicious domains and begin to create a profile of locations and privacy preferences of cybercriminals.

What did we learn?

DomainTools Report Chart - EmailsOur comprehensive coverage of Whois records enables us to take a broad look at registration attributes of all domains. Overlaying the domain data with data on malicious activity gave us quantitative insights into where the malicious and innocuous domains “live,” logically as well as geographically.

For example, one of the attributes we analyzed was the email domain used to register domains. In particular, we compared free email domains such as,, and their variants and international counterparts. The results were very interesting and both expected and unexpected. was used for the most domain registrations, malicious or not. But based on percentage, some Japanese free email providers were the most malicious, primarily due to a large quantity of spam originating from those domains.

For more information and analysis, download a copy of the full report.

We will also be planning a live webinar later this quarter to discuss the report, and to answer your questions about the data and results. In the meantime, if you have any questions, please email us at



Beyond Whois, Part 3: Two Faces of Lucy

September 3rd, 2014 Comments off

Lucy_FacesIn the first two installments of this series (Beyond Whois: The Domain Profile and Beyond Whois: IP Addresses Tell Many Tales), we looked at how there are a lot of datapoints in the DomainTools database that go beyond Whois and DNS records to help you find elusive answers to domain ownership and the connections among domains. In this entry, we’ll see how historical information can assist your investigations, too.

Lucy 1: The Missing Link

You’re probably familiar with AL 288-1. Or, more likely, you know this Australopithecus celebrity by the whimsical name “Lucy.” (I’m taking some metaphorical license here, because paleontologically speaking, Australopithecus is not technically considered the “missing link.”) This Lucy represents the way historical artifacts shed light on chains of connection; sometimes a “digital fossil” is the missing link that can advance an investigation.

investigation_reverse_whoisMany attack attribution or website fraud investigations call for you to look back in time, and if you’ve explored our offerings, you’ll be aware that Whois History is just one of the ways you can do your time-traveling explorations. Hosting History provides insight into how the domain has evolved over time, based on a combination of canonical Whois datapoints (name server and registrar) and our IP address data. Screenshot History can do the same.

Earlier, we saw how Reverse IP can show connections between domains that otherwise don’t look connected–especially if the IP in question has a small number of domains on it. Even if the present hosting doesn’t show such connections, though, comparing the Hosting History entries for domains where you suspect a possible connection could help confirm or refute your hypothesis. A shared–and “small”–IP address could be your missing link.

One usage of Screenshot History that we particularly like for attribution work is to look at the threshold of when a domain went into privacy protection. If the “before” screenshots–those taken before domain privacy went into effect–closely match the “after” screenshots, then this raises confidence that the visible owner of the domain before privacy is the same individual or organization behind it after privacy was enabled.


Lucy 2: Using only 10% of our brains?

The 2014 sci-fi hit Lucy trades heavily on the old canard that “we only use 10% of our brains” (which is actually discredited by most neuroscientists, but nonetheless is a common assumption). By using only Whois/DNS data to conduct a digital forensics investigation, you’re missing out on a wealth of other information that can be crucial to finding important answers. If you’re not already using the information we’ve covered in this series, carve out some time to get familiar with the various “beyond Whois” tools. They might just solve some thorny puzzles.

Happy exploring!



What’s better than the world’s best Whois data? The world’s best PARSED Whois data!

August 20th, 2014 Comments off

parsedDomainTools works tirelessly to build the world’s best database of Whois records, with coverage spanning all of the ccTLDs and each new gTLD as it comes online—not to mention the “big six” TLDs: com, net, org, biz, info, and us. We believe we have reason to claim that our coverage is unparalleled. But now we have taken it, as they say, to the next level: we have developed the world’s best Whois parsing engine.

Since parsed Whois has existed for a while, we knew we had to clear a high bar in order to claim market leadership. We believe we have and encourage you to try it and let us know what you think.


  • Covers more domains than anyone else—270M+ including ccTLDs and new gTLDs
  • Parses over 95% of Whois record formats—industry’s highest
  • Is highly reliable thanks to state of the art DomainTools data centers
  • Normalizes fields that vary in format such as dates and phone numbers
  • Priced competitively

The API:
The Parsed Whois API is optimized to allow quick retrieval of a Whois record, with each data field parsed out separately for easy integration into your systems and applications. This is ideal for anyone wishing to search for, index, or cross-reference data from one or multiple Whois records without having to build their own text parser. It opens up nearly limitless possibilities for domain-based research, investigations, and analysis.

Why this is important
In short, because it enables faster, more efficient analysis of the data, because it is delivered in a structured and context-relevant format. People seek Whois data because they are interested in learning about individual domains, groups of domains, the people behind domains or connections between domains. Many kinds of domain-related investigations, such as threat intelligence, incident response or online fraud investigations, depend on this information.

If you are using Whois data for security investigations or incident response, you already know that you can’t afford stale, inaccurate or missing data. While we have long been the leader in Whois data with the best coverage and frequency, we can now make the (somewhat immodest, but indulge us!) claim of the world’s best Whois parsing engine, with the highest level of accuracy and data normalization. That’s how the best just got even better.  Visit the Parsed Whois API page to learn more.

Happy exploring!


Beyond Whois, Part 2: IP Addresses Tell Many Tales

August 4th, 2014 Comments off

ip-address-infoIn Part 1 of our Beyond Whois blog, we introduced the concept of the Domain Profile, the set of datapoints that DomainTools returns in a Whois lookup. The Domain Profile gives a wealth of information that is not contained in the actual Whois record for a domain, so using DomainTools gives you an investigative starting point with many more potential leads than a basic Whois lookup. In this installment, we’ll look at how the “beyond Whois” datapoints can assist your investigations.

First, to set context, we’ll define some terms which come up frequently in cybercrime investigations (and, with sometimes different terminology, in other kinds of investigations):

  • Attribution: in the simplest terms, attribution is the process of naming the initiator of an activity, especially in cases where the person or organization being investigated does not want to be identified. A common example is finding the owner of a malicious domain.
  • Enumeration (also called Forensic Domain Mapping): discovering the extent of a given individual or organization’s holdings.

Many different investigations boil down to one or both of these, and sometimes one serves the other. For example, by enumerating the holdings of a digital John Doe, one of the associated domains may have details leading to attribution that weren’t present in the original investigation.

Imagine that you want to learn who owns a domain that uses Whois privacy to mask the owner’s identity. If the website itself doesn’t appear to help either (i.e. there’s no “About Us” page with the info you’re seeking), you can dig in to the Domain Profile to propel your research forward. Per Part I of this blog series, start with the Whois record and Whois History to see if you can find attribution information directly. If not—and if they are worth their salt, you won’t—then a good next step is with the IP address.

By itself, an IP address doesn’t tell you much, but that’s where Domain Profile helps you:

  • You can see how many sites are hosted on this IP address via Reverse IP. Why does this matter? If the IP address has many domains (thousands, even tens of thousands), then this may not be your most productive path to follow. But what if it hosts only a handful of sites? This increases the odds that there’s some kind of connection among those sites, because a large hosting provider would be unlikely to allocate an address to only a random handful of domains. Take a look at the other sites on the IP address. Do they have some characteristic that may link them to the original target domain? If so, look at the Whois records from these co-hosted domains. Perhaps one of them contains the gold nugget you are seeking: the actual identity of your digital John Doe!
  • You can also see where the IP address is located. If a site that purports to sell Seattle Seahawks official merchandise, for example, is hosted in Uzbekistan, yet represents itself to be “direct from Seattle,” this can help characterize the domain. If you have a few domains that you think might be connected, look for a related pattern like this one, where the locus of business and the locus of hosting don’t make any rational sense. (Do be aware, however, that IP location OFTEN doesn’t match physical location, and in many or even most cases, this is normal and innocuous. Your own intuition and judgment will be helpful in this regard. A Seahawks merch vendor with an IP address in Virginia is not nearly as suspicious from an investigative standpoint as one in Uzbekistan.)
  • You can see who owns the IP address by doing an IP Whois lookup. This will tell you whether the address is owned by a reputable, big hosting provider or ISP, or a smaller one. So-called “bulletproof hosting” sites are of particular interest to cybercrime investigators, because these hosters aim to shield their customers from prosecution, law enforcement takedown activities, sinkholing, and other measures taken by crime fighters, and to circumvent legal restrictions on what materials can be uploaded/hosted. Bulletproof hosting has been home to many of the world’s largest spammers and phishers.

When you use Reverse IP to see what other sites are hosted on the same IP, you may want to use the screenshot from Domain Profile to look for similarities. Especially if the domain(s) you’re researching are known for malware or other dangers, it’s often prudent not to visit the sites themselves.

Many attack attribution or website fraud investigations call for you to look back in time, and in our next installment, we’ll see how the historical data that is summarized in the Domain Profile can advance your investigation.

Until next time, happy exploring!




Beyond Whois: DomainTools Domain Profile

July 18th, 2014 Comments off

beyond-whoisOfficial ownership records are valuable and can often tell interesting tales about the goods–physical or digital–that they cover. However, ownership records only go so far, as anyone who has used a commercial vehicle history report knows! Getting beyond the basics of registration data can make a world of difference for prospective buyers, and several firms have made a lucrative business out of providing detailed histories of cars and light trucks.

Internet domains are no different. It’s a safe bet that almost anyone reading this is very well-versed with Whois (which used to be spelled WHOIS, in the stilted English of protocol names back in the day). That familiar Courier-font blob of domain registration information is key to all kinds of activities, from domain investment and management, to brand management, to cybercrime investigation. The vast majority of investigations at DomainTools begin with a Whois lookup.

As useful as this information is, however, there is much more that can be learned about a domain by going beyond the data in the Whois record itself, so we’re going to spend some time looking at what’s *not* in the Whois records.

Here at DomainTools, we’ve been collecting and presenting such additional data for years, and the extra information forms a large part of the structure and experience of our Whois lookup results. We call this combination of Whois registration data and additional domain information the Domain Profile (though that name is not explicitly shown on the Whois results page).

Here are examples of the Domain Profile information, the datapoints that go beyond the Whois record:

  • IP address (some domains may not have one associated with them, but most do, even if it’s just a parking site from the registrar)
  • IP geolocation location and ASN (this tells you about the network on which the domain resides)
  • Screenshot
  • Website title
  • Response code (the code the web server sends back upon the initial HTTP connection–assuming the domain has a website up and running)
  • Server type
  • SEO score, terms, GA codes, images, and links information
  • MX records (these are not on the Whois results page, but are available to you through Reverse MX)

Each of these pieces of information can be very valuable. Which are most important depends on the type of investigation you are conducting. But right from the get-go, they help to give you an overall sense of the status of the domain, allowing you to very quickly assess the basics:

  • Does it have a website? Does the site look “professional?” Does it look as though it’s been updated recently?
  • Does it reside on a dedicated IP address, or a relatively “small” IP address (one with not too many other domains on it), or is it on a big hosting site?
  • Is there evidence that the domain’s owner has tried to maximize the domain’s profile, through SEO and other optimization techniques?
  • How does the owner (or at least the webmaster) describe the web site? What are they trying to tell the world (and search engine bots!) about the site?

By spending as little as a few seconds looking over the Domain Profile on the Whois results page, you can pick up a lot of useful detail, which in turn informs your decisions about what to do next in your investigation. The next blog on “Beyond Whois” will give more detail on how the Domain Profile datapoints can point you toward valuable answers and sometimes-unexpected insights.

As always, we invite your questions and feedback to Thanks for reading, and happy exploring!


The World’s #1 Whois service just got better

June 12th, 2014 Comments off

whois-fullIf you’ve spent any time on our site, you already know that “Whois” with DomainTools is much more than just a static Whois entry for a domain. Our Whois results page provides a detailed profile of the domain, including summary information on related IP addresses, name servers, IP geolocation, and web server stats and historical stats on domain ownership, NS, IP and Screenshot changes.

For most of our users, this is the jumping-off point for all kinds of investigations into cybercrime, security threats, online fraud, domains purchase, domain value, marketing opportunities, competition or any number of other activities.

We’ve just made access to this information easier to use, cleaner and faster. We’ve done a major overhaul of the Whois results page—a page that hasn’t had a design/UI update in many years. Not only was our goal to make it cleaner, better, faster, but to make it easier for users to start their investigations and leverage our Reverse, History, Monitors and other premium products. Like with a beautiful old building, at some point you need to renovate the lobby to make it look clean and function better.

Here’s an overview of the changes:

  • Major profile information has been cleaned up and organized so that the most valued and used information is on top.
  • Rows that contain historical or reverse lookup information such as registrant email, Whois History, and IP address, have action buttons that let you instantly “pivot” on that data point.
  • We flattened the tab structure so that key information is visible at a glance. We’ve included expand/collapse controls for the major sections of the table, as well.
  • A new “Tools” section is available in the upper right enabling you to jump straight to specific tools, view the domain’s screenshot, buy/backorder the domain, etc.
  • We’ve decreased load time.

For details on the changes and how to get the most out of the new features, read the User Guide.

What hasn’t changed:

  • We still provide the best coverage of Whois reporting across ccTLDs, new TLDs and gTLDs.
  • We still provide Whois history back 12 years.
  • We still provide the industry’s best Reverse Whois, Reverse IP, Reverse Name Server and Reverse Mail Server products.
  • We still provide the #1 Domain Search, domain name typo and name spinning products.
  • We still provide 100% real-time lookups, every time, for paying members. For non-paying members, most lookups are real-time and never older than that day. (The first lookup of every domain per day are real-time and subsequent lookups are never older than that day.)
  • The raw Whois record is always provided.

The new Whois results page is a big change from the previous. For long-time users, there might be a bit of a learning curve. So, please, jump in, explore, experiment and get to know it. We believe you will find it much more efficient. If, after you’ve tried it for a few days, you still have suggestions on how to make it better, please send us your feedback at

For casual visitors, many of our more powerful tools, like Reverse Whois, Whois History and Domain Search, are available only to subscribing members. If you’re not already a DomainTools Professional member, sign up for a membership or a Free Trial  to find out for yourself how much you can learn with the research products we’ve assembled on top of the world’s largest database of domain and IP information.

Thanks for using DomainTools and happy exploring!