IP History Lookup for Cybersecurity | WhoisXML API
Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Multi-Level API User Administration Now Available - Manage individual API keys for team members in your organization.

Learn More
×
Contact Us
API Lookup Database

IP history lookup is an important query type for in-depth DNS cybersecurity research

WhoisXML API’s DNS history products allow you to map historical IP-to-domain or domain-to-IP connections. Track changes and use historical hosting data for fraud detection, threat actor monitoring, and incident analysis.

Start DNS Chronicle API Trial Contact Sales
50 Billion+Domains and subdomains
116 Billion+DNS records
60%+Cyber 150 in key categories trust us
52,000+Satisfied customers

How historical IP data lookups work

Enter a domain name to to look up associated historical A and AAAA records and uncover a domain’s hosting history. Or enter an IPv4 or IPv6 address to run a reverse IP history lookup and find out which domains have been hosted on a certain IP address over time. Try it now.

WhoisXML API products featuring IP history data

  • DNS Database Download

    DNS Database Download

    Obtain direct access to passive DNS A, AAAA, MX, NS, TXT, CNAME, SOA, and PTR record files from our market-leading database of historical DNS records.

    Explore Database Download
  • DNS Chronicle API

    DNS Chronicle API

    DNS Chronicle API can easily be integrated into existing security platforms, workflows, and other tools requiring passive DNS intelligence.

    Explore API
  • DNS Chronicle Lookup

    DNS Chronicle Lookup

    Easily retrieve the historical DNS A and AAAA records of any domain by typing it into our GUI.

    Explore Lookup

Practical usage

  • Trace domain transfers

    See when domains have changed hosts and trace their historical activity.

  • Investigate suspicious domains

    Find out the IP addresses historically associated with a domain to analyze them for previous suspicious activity.

  • Uncover threat actor infrastructure

    Identify IP addresses historically linked to a known malicious domain or additional domain names that have at some point been hosted on a given IP address.

  • Monitor threat actors

    Stay alerted to DNS resolutions associated with known threat actors, and uncover patterns or anomalies that could indicate malicious activity.

DNS Database | WhoisXML API

Ready to start using historical IP address data?

Contact Us

Frequently Asked Questions

What is an IP history lookup?

A historical IP lookup is a process that allows you to see the hosting history of a domain — the list of IP addresses it has been associated with over time. An IP history lookup shows you how a domain migrated between hosts and gives you more context about its historical associations.

It is similar to a real-time DNS lookup, but it relies on historical DNS data instead, offering multiple historical records with different timestamps.

What is a reverse IP history lookup?

A reverse IP history lookup is a process that allows you to see the historical domain names that have been associated with a specific IP address over time. This means you can track which websites were previously hosted on a given web server, even if they have since moved to a different IP.

Performing a reverse IP history lookup can uncover patterns that may indicate suspicious activity, domain migrations, or shared hosting environments. A reverse IP history lookup is similar to a real-time reverse IP lookup, but it relies on historical DNS data instead. This means it provides multiple records instead of just one current record.

How is IP history collected?

IP history is part of DNS history that is collected using passive DNS sensors. The DNS system has no memory, so it only keeps the current domain to IP associations. The sensors collect this data over a long period of time, tracking changes and adding timestamps to them. We use our own passive DNS sensors and work together with DNS data aggregation partners to keep track of these changes. For more information on how passive DNS works, check out our Passive DNS Primer.

How to lookup connected domains with IP history?

To uncover domains connected to a given domain, you can run an IP history lookup, finding IP addresses associated with this domain over time. Then, run a reverse historic IP lookup for each of these IP addresses, uncovering other domains that have been hosted on these IP addresses. These domains are likely to be connected to the given domain.

Note that being hosted on the same IP doesn’t guarantee that domains are indeed associated, as they might be using shared hosting.

How far into the past does IP history go?

WhoisXML API provides years of historical IP-to-domain records thanks to a vast database of historical DNS data. For domains that are only a few years old, you’ll likely see their entire IP history.

Why do IP history records show me multiple IP addresses associated with one domain at the same time?

A domain can have multiple associated IP addresses for load balancing, geographical distribution, or failover. If it uses a content delivery network (CDN) like Cloudflare or employs other load balancing techniques, the historical IP records will show multiple IP addresses associated with the domain at the same time. These correspond to the different servers delivering the content for the website.

For example, below you can see the result of a historical IP lookup for example.com. The records for October 4, 2019, show many different IP addresses associated with it.

Can I see other historical records other than A and AAAA?

Yes, you can. IP history is a feature of our DNS history products, which also provide historical MX, NS, TXT, CNAME, SOA, and PTR records. However, to see these, you’ll need to use the DNS Database Download. The lookup tool and the DNS Chronicle API currently only provide historical IP-to-domain and domain-to-IP data.