WHOIS and DNS Lookup: Domain Registration and Infrastructure

Investigator's guide to WHOIS and DNS lookups: identify registrars, trace name servers, enumerate records, and pivot between domains owned by the same operator.

Beginner digital

WHOIS and DNS Lookup: Domain Registration and Infrastructure

Every domain leaves a trail of registration and DNS records. Reading that trail tells you who bought the domain, when, through which registrar, which servers host it, and which neighbouring domains share its infrastructure. This tutorial covers the reliable techniques — and the ones that have been hollowed out by privacy regulation.

Who this is for

Beginner

Investigators tracing digital infrastructure: researchers mapping disinformation networks, compliance officers verifying corporate domains, journalists checking whether two websites are operated by the same entity.

What you'll need

  • Terminal with whois and dig (Linux, macOS, or WSL on Windows).
  • A browser for web-based tools.
  • Optional paid accounts for historical WHOIS (SecurityTrails, DomainTools) if you need pre-2018 records.

How it works

WHOIS is a public protocol that queries registrars and registries for a domain's registration metadata. DNS is the distributed system that maps names to addresses, mail servers, and text records. Modern WHOIS data is heavily redacted for most generic TLDs due to GDPR — registrant names and emails are usually masked. DNS, by contrast, remains rich: name servers, A/AAAA records, MX, TXT, and TLS certificate transparency logs all expose relationships between domains.

Step-by-step walkthrough

  1. Run a basic WHOIS lookup.

    whois example.com

    Record: registrar, creation date, update date, expiration date, and any unredacted registrant fields. The creation date often pins when an operation started.

  2. Pull the authoritative DNS records.

    dig example.com ANY +noall +answer
dig example.com NS +short
dig example.com MX +short
dig example.com TXT +short

    TXT records frequently expose SaaS vendors (SPF includes for Google Workspace, Microsoft 365, Mailgun, SendGrid), which narrows the operator profile.

  3. Reverse-resolve the IP.

    dig example.com +short
dig -x 93.184.216.34 +short

    If the domain sits behind Cloudflare, the reverse will be a Cloudflare PTR — not the origin. Mark that and continue.

  4. Enumerate TLS certificates. Visit https://crt.sh/?q=%25.example.com to list every certificate issued for the domain and its subdomains. Certificate transparency is often more useful than WHOIS today: it reveals staging environments, internal tools, and shared infrastructure.

  5. Find sibling domains on shared infrastructure. Use a passive DNS source such as SecurityTrails, ViewDNS reverse-NS (https://viewdns.info/reversens/), or dnsdumpster.com. Query by name server and by IP. Domains sharing a non-default name server set are strong candidates for common ownership.

  6. Check historical WHOIS. Pre-2018 records often contain unredacted contact details. Paid services preserve these; free tiers usually show only the most recent record. Note each historical registrant email and pivot on it — attackers and disinformation operators reuse emails across registrations.

  7. Document the pivot graph. For every related domain you find, record how you got there: shared registrant email, shared NS, overlapping TLS SAN, identical Google Analytics ID (grep the HTML for UA- and G- identifiers).

Common pitfalls

  • Assuming redacted WHOIS means nothing. Registrar, dates, and name servers are still present and still useful.
  • Trusting WHOIS dates blindly. Domains get dropped and re-registered. An old creation date does not prove continuous ownership.
  • Pivoting on Cloudflare or shared hosts. Thousands of unrelated domains share a single Cloudflare IP. Do not claim a relationship based only on shared hosting IP.
  • Over-relying on one lookup tool. Different registrars rate-limit and redact differently. Cross-check at least two sources for anything you intend to publish.

Verifying your findings

Any claim that two domains share an operator needs multiple independent signals: shared registrant (historical), shared non-default name servers, overlapping TLS SAN entries, and ideally a non-generic shared analytics or tag ID. Document the pivot chain in the format described in the analysis phase guide, with timestamps and the exact query that produced each result.

Related tutorials

Apply this in practice

The tracking a disinformation network case study walks through a WHOIS and DNS pivot that maps a coordinated domain cluster. For deeper document-side analysis of corporate registration filings discovered during a WHOIS pivot, use the Subthesis legal document analysis tool.