9 Best DNS Lookup Tools for Cybersecurity Investigations | WhoisXML API
Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
API docs Pricing Blog
Read other articles Download PDF

9 Best DNS Lookup Tools for Malware Analysis and Phishing Investigations

For cybersecurity researchers, the DNS hides a treasure trove of data. It offers insights to identify malicious domains, map attacker infrastructure, detect fast flux, and identify typosquatting domains. But it also requires knowing where to look and what to analyze. 

In this post, we cover different the best DNS lookup tools for different types of lookups and what types of investigations they can help with. 

Types of DNS Lookups

To simplify things, we can group DNS lookup tools into two categories, depending on the data point you want to query:

  • Forward DNS lookups. These require a domain or a subdomain name as input and then retrieve values stored in DNS records, such as associated IP addresses (from A and AAAA records), nameservers (from NS records), mail servers (from MX records), and so on.
  • Reverse DNS lookups. These require a value (an IP address, a nameserver, a mail server, or something else) and retrieve domain and subdomain names that have this value in their DNS records. This may involve querying DNS zones (e.g., PTR for IPs) or using passive DNS data that maps values to domains.

Forward DNS Lookup Tools

Forward DNS lookup tools let you pivot off a domain name, so you can find everything you want to know about it, DNS-wise. Here’s a quick list of WhoisXML API tools that enable you to perform forward DNS lookups.

  • DNS Lookup API: This lookup tool retrieves the target domain’s DNS records, including A, NS, CNAME, SOA, and several other DNS record types. 
  • TXT Record Lookup: You may use this tool if you only need to obtain the TXT record of a domain name. 
  • MX Record Lookup: This free DNS lookup tool retrieves the MX records of any domain. 
  • CNAME Record Lookup: Use this tool to get the CNAME record of a target domain. 

These tools can help when the starting point of an investigation is one or more domain names. We’ll get to specific use cases for them a little later.

Reverse DNS Lookup Tools

Sometimes, your starting point is an IP address. And investigations don’t usually take just one step, so at some point you probably end up with some DNS records collected from forward lookups. This is where reverse DNS lookups come in. Below are the tools that can help you:

  • Reverse DNS API: This tool allows you to search for domains associated with an SOA, TXT, or CNAME record.
  • Reverse IP API: This tool gives you a list of all domains that resolve to an IP address, along with the dates when the IP resolution was first and last detected.
  • Reverse MX API: You can type in an email server address (e.g., smtp[.]google[.]com) and find out which fully qualified domain names (FQDNs) link back to it. 
  • Reverse NS API: This reverse DNS tool retrieves all domains that use a specific nameserver. 

WhoisXML API also offers a tool that allows you to perform both forward and reverse DNS lookups with historical data. With the DNS Chronicle API, you can pivot off a domain to retrieve all its historical A and AAAA records or start with an IP address to get a list of historically associated FQDNs. 

More About the DNS Lookup Tools

Let’s take a closer look at each of the tools named above, including their use cases and what the query responses look like. 

1. DNS Chronicle API: Observe the Shifts in Attacker Infrastructure

The DNS Chronicle API is useful for historical DNS data analysis. It relies on passive DNS data and enables investigators to observe how an attacker's infrastructure has shifted—perhaps to evade detection or to set up new command-and-control (C2) servers.

The query response includes the date when the IP addresses connected to the queried domain (forward lookup) or the domains associated with an IP address (reverse lookup) were observed in chronological order. Here is an example of a reverse lookup on DNS Chronicle API:

DNS Chronicle lookup results
Source: DNS Chronicle Lookup result for 35[.]81[.]85[.]251.

A WHOIS lookup for the retrieved domains may reveal similarities, such as their creation dates, registrant contact details, and registrar information. You may also want to run DNS lookup queries for the domains to see which of them, if any, share the same IP addresses and DNS records. The goal is to find as many common data points as possible to increase the confidence in the domains being part of the same attacker infrastructure. 

2. DNS Lookup API: A Starting Point for Cyber Reconnaissance

DNS Lookup API serves as an "all-in-one" DNS query tool, typically used during initial reconnaissance to get a comprehensive overview of a domain’s public DNS footprint. It can help determine hosting providers, email service providers, and other linked services.

When provided with a target domain, DNS Lookup API retrieves a wide range of DNS record types—52, to be exact. The output is structured and details all available DNS records for the queried domain, including its time-to-live (TTL) value, and associated information.

Source: DNS Lookup result for basecamp[.]app.

Now, you have several DNS records to work with and you can run reverse DNS lookups for them, which can lead to other domains that use the same DNS records. For example, you can do a reverse IP lookup for the IP address identified in the A record, or a reverse MX lookup for the mail server contained in the MX record. 

3. TXT Record Lookup: Discover Malicious Arbitrary Text and Verify Domain Ownership 

The TXT Record Lookup tool focuses on retrieving TXT records for a given domain name, helping with phishing investigations and malware analysis. These DNS records are commonly associated with email authentication mechanisms like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC), which help prevent email spoofing and phishing. They can also sometimes hold arbitrary text data that attackers might use for command and control or data exfiltration.

This free tool presents the query response as a pop-up containing a list of TXT values and their TTL.

TXT record lookup tool results

Investigators typically analyze the content and context of the TXT data uncovered from this tool to determine if the record is random-looking, which could be a sign of DNS tunneling.

4. MX Record Lookup: Pivot to Phishing Network Detection

The MX Record Lookup tool enables investigators to trace email spoofing incidents by identifying the legitimate servers for a domain so they can assess if a suspicious email originated from an unauthorized server. Query results can also help investigators understand the email infrastructure of a phishing campaign.

Like the TXT Record Lookup tool, the query response is displayed in a pop-up that lists the mail server hostnames responsible for handling email for the domain, along with their preference numbers (lower numbers indicate higher priority). The tool is also free to use without any limits.

MX record lookup tool results

Running a reverse MX lookup will return a list of domains associated with the mail server hostname.

5. CNAME Record Lookup: Investigate Redirects and Alias Networks

The CNAME Record Lookup tool retrieves CNAME records, which are aliases that point one domain to another domain name rather than an IP address. This tool helps investigators with phishing analysis, particularly with tracing redirect chains in suspicious URLs where a legitimate-looking but compromised domain might CNAME to a domain hosting phishing infrastructure.

The tool’s query results are presented as a pop-up that lists the domain’s CNAME and TTL values. 

Cname record lookup tool results

In one recent investigation, the FBI identified CNAME records used across several malicious domains. Using them in a reverse DNS lookup, they were able to identify hundreds of thousands of other domains belonging to the same infrastructure. Researchers from WhoisXML API have also contributed to this investigation.

6. Reverse DNS API: Map SOA, TXT, and CNAME Records to Malicious Domains

Instead of simply mapping an IP to any associated domain, the Reverse DNS API allows you to search for domains that are configured with a particular SOA, TXT, or CNAME record. This enables highly targeted investigations, allowing users to find domains that share the same configuration fingerprints or content in their DNS records.

The result of a query for domains containing the string ns.google in their SOA records, for instance, would look like this:

Reverse DNS lookup tool
Source: Reverse DNS Lookup results for ns.google*

Running WHOIS lookups for the domains obtained using a reverse DNS lookup can help identify common ground, such as whether the domains were registered by the same registrant. 

7. Reverse IP API: Uncover Malicious Websites Sharing an IP

If you only have an IP address to start an investigation, the Reverse IP API can give you a list of domains that have ever resolved to that IP, along with the dates when the resolutions were first and last detected. 

Reverse IP lookup tool results
Source: Reverse IP Lookup results for 4[.]4[.]4[.]4.

Cyber investigators can use the Reverse IP Lookup to determine if the IP address can host multiple domains, whether legitimately (like shared hosting) or maliciously (like bulletproof hosting or a compromised server hosting many phishing sites or C2 domains). 

If the IP is indeed malicious (a threat intelligence lookup can tell you if it is), then investigators can find other domains linked to the malicious IP address. They can then run WHOIS lookups for those domains to identify important registration details such as date and time, as well as nameservers and registrar names to use this information for correlation when they discover more potentially associated domains.

8. Reverse MX API: Investigate Malicious Domains Sharing Mail Infrastructure

When you only have a mail server associated with a phishing or spoofed email address, you can use the Reverse MX API to identify all FQDNs that link back to that mail server. This could help uncover related phishing or spam campaigns.

Reverse MX lookup tool results
Source: Reverse MX Lookup result for gmail-smtp-in.l.google.com

A WHOIS lookup query for the associated domains will help investigators find out more about the domains. Additionally, they can find which domains are still active by running DNS lookups. 

9. Reverse NS API: Map Malicious Domains by Name Server

The Reverse NS API allows you to pivot from a nameserver address to identify all domains that use that specific nameserver. This tool helps in mapping attack infrastructures by identifying large clusters of domains under the control of a particular entity or threat actor by their shared nameserver infrastructure.

The query response lists the domain names that have NS records pointing to the queried nameserver address, along with the date when the record was first seen and last updated. 

Reverse NX Lookup tool results
Source: Reverse NS Lookup results for ns2[.]google[.]com.

The fact that certain domains share a name server is not enough to name them all malicious, even if one of them is known to be such. As in the case for other tools that return a list of domains, a WHOIS lookup on the domains is ideally the next step, along with DNS lookup queries to uncover and pivot off of other DNS records so that you can get more information, more correlations, and more certainty. 

Conclusion

Combining different DNS lookup tools and pivoting between them, investigators can expand their findings and build a full picture of the internet infrastructure used in malicious campaigns. 

Some of the tools listed above are completely free to use without any limitations, some require you to spend API credits (which you also can get for free, even though in limited amounts). 

To simplify pivoting between the tools, we’ve also built the Domain Research Suite that offers many of these tools in one place and allows you to pivot between them with a single click.

Read other articles Download PDF
Try our WhoisXML API for free
Get started