IP history lookup is an important query type for in-depth DNS cybersecurity research

实际应用

• Trace domain transfers

  See when domains have changed hosts and trace their historical activity.

• Investigate suspicious domains

  Find out the IP addresses historically associated with a domain to analyze them for previous suspicious activity.

• Uncover threat actor infrastructure

  Identify IP addresses historically linked to a known malicious domain or additional domain names that have at some point been hosted on a given IP address.

• Monitor threat actors

  Stay alerted to DNS resolutions associated with known threat actors, and uncover patterns or anomalies that could indicate malicious activity.

常见问题

What is an IP history lookup?

A historical IP lookup is a process that allows you to see the hosting history of a domain — the list of IP addresses it has been associated with over time. An IP history lookup shows you how a domain migrated between hosts and gives you more context about its historical associations.

It is similar to a real-time DNS lookup, but it relies on historical DNS data instead, offering multiple historical records with different timestamps.

What is a reverse IP history lookup?

A reverse IP history lookup is a process that allows you to see the historical domain names that have been associated with a specific IP address over time. This means you can track which websites were previously hosted on a given web server, even if they have since moved to a different IP.

Performing a reverse IP history lookup can uncover patterns that may indicate suspicious activity, domain migrations, or shared hosting environments. A reverse IP history lookup is similar to a real-time reverse IP lookup, but it relies on historical DNS data instead. This means it provides multiple records instead of just one current record.

How is IP history collected?

IP history is part of DNS history that is collected using passive DNS sensors. The DNS system has no memory, so it only keeps the current domain to IP associations. The sensors collect this data over a long period of time, tracking changes and adding timestamps to them. We use our own passive DNS sensors and work together with DNS data aggregation partners to keep track of these changes. For more information on how passive DNS works, check out our Passive DNS Primer.

How to lookup connected domains with IP history?

To uncover domains connected to a given domain, you can run an IP history lookup, finding IP addresses associated with this domain over time. Then, run a reverse historic IP lookup for each of these IP addresses, uncovering other domains that have been hosted on these IP addresses. These domains are likely to be connected to the given domain.

Note that being hosted on the same IP doesn’t guarantee that domains are indeed associated, as they might be using shared hosting.

How far into the past does IP history go?

WhoisXML API provides years of historical IP-to-domain records thanks to a vast database of historical DNS data. For domains that are only a few years old, you’ll likely see their entire IP history.

Why do IP history records show me multiple IP addresses associated with one domain at the same time?

A domain can have multiple associated IP addresses for load balancing, geographical distribution, or failover. If it uses a content delivery network (CDN) like Cloudflare or employs other load balancing techniques, the historical IP records will show multiple IP addresses associated with the domain at the same time. These correspond to the different servers delivering the content for the website.

For example, below you can see the result of a historical IP lookup for example.com. The records for October 4, 2019, show many different IP addresses associated with it.

Can I see other historical records other than A and AAAA?

Yes, you can. IP history is a feature of our DNS history products, which also provide historical MX, NS, TXT, CNAME, SOA, and PTR records. However, to see these, you’ll need to use the DNS Database Download. The lookup tool and the DNS Chronicle API currently only provide historical IP-to-domain and domain-to-IP data.