DNS history solutions for enhanced internet transparency and cybersecurity

Practical Usage

• DNS asset discovery

  Keep asset inventory current by uncovering connected or hidden domains and subdomains used for specific web applications and services.

• Threat detection

  Identify unusual DNS resolution patterns that may indicate botnet activity or compromised infrastructures used to host or distribute malware.

• Threat actor monitoring

  Stay alerted to DNS resolutions associated with known threat actors, and uncover patterns or anomalies that could indicate malicious activity.

• Brand protection

  Monitor DNS record changes to detect domain hijacking attempts and assess how associated domains could affect brand reputation.

• Third-party risk scoring

  Use DNS data to trace domain configuration changes, identify connected infrastructure, and detect suspicious activities linked to vendors and other third parties.

• Fraud detection

  Spot fraudulent behaviors by analyzing DNS patterns, domain ownership changes, and previous associations with malicious servers.

Frequently Asked Questions

What are DNS records?

A DNS record is a data record stored in the Domain Name System (DNS) that maps domain names to specific resources, such as IP addresses, mail servers, or other services. A DNS server resolves those records to direct internet traffic and manage domain-related services. Common DNS record types include:

• A record: Maps a domain to an IPv4 address.
• AAAA record: Maps a domain to an IPv6 address.
• MX record: Specifies mail servers for email delivery.
• NS record: Lists authoritative name servers for a domain.
• TXT record: Stores text-based information, often used for domain ownership verification (e.g., SPF, DKIM, or DMARC settings) or other metadata. For example, verifying website ownership to use Google Search Console requires adding a certain TXT record to the list of host records for a domain name.
• CNAME record: Maps an alias or subdomain to another domain name. For example, it can redirect blog.example.com to www.example.com.
• SOA record (Start of Authority): Contains administrative information about the domain, such as the primary name server, the domain administrator's contact email, and the DNS zone's version number.
• PTR record (Pointer): Resolves an IP address to a domain name, commonly used in reverse DNS lookups.

To get information about a domain’s current DNS records, you can use our DNS lookup tool or DNS lookup API.

What is the DNS history of a domain name?

The DNS history of a domain name is a list of past DNS configurations, including changes to IP addresses, name servers, mail servers, and other DNS records over time. It provides insight into how a domain's infrastructure has evolved and can reveal ownership changes, migrations, or potential misuse.

Unlike a sizable portion of WHOIS data, DNS data is not redacted for privacy, so historical DNS records can be quite useful for cybersecurity purposes.

The Domain Name System was not engineered to keep track of historical records, but with them holding a lot of value, it’s natural that independent vendors have begun creating and maintaining DNS history databases.

What data can you get from DNS history?

Domain’s DNS history typically includes details such as:

• Historical A records: Changes to IPv4 address mappings.
• Historical AAAA records: Changes to IPv6 address mappings.
• Historical MX records: Changes to mail server configurations.
• Historical NS records: Updates to authoritative name servers.
• Historical TXT records: Past text-based information, often related to verification or security.
• Historical CNAME records: Changes to aliases or redirections for subdomains.
• Historical SOA records: Updates to administrative details, such as the primary name server or zone version.
• Historical PTR records: Historical mappings of IP addresses to domain names, used in reverse DNS lookups.
• Time-stamped changes and updates: A timeline showing when each record was added, removed, or updated.

This information provides a detailed timeline of a domain's DNS activity and helps uncover patterns, infrastructure changes, potential links to malicious actors, and more.

Here’s an example of using our historical DNS lookup tool for example.com that pulls historical IP to domain or domain to IP information:

What can I use historical DNS data for?

Historical DNS data has a wide range of practical applications across cybersecurity, threat intelligence, and asset management. You can use it to:

• Add DNS context to SIEM, SOAR, and TIP platforms: Enrich security systems with DNS intelligence for better decision-making.
• Accelerate threat detection and response: Identify unusual DNS changes or patterns associated with malicious activities.
• Widen asset discovery and vulnerability management: Locate unmanaged or forgotten domains, subdomains, and related assets associated through DNS records.
• Identify dangling DNS records and unsecured subdomains: Detect misconfigurations that could lead to data exposure or exploitation.
• Expand threat intelligence gathering: Analyze historical DNS records to uncover links between domains and already known threat actor infrastructure.
• Monitor changes in the DNS infrastructure of suspicious or malicious domains: Stay informed about updates that could signal new threats.
• Run SaaS service discovery analyses: Identify services and platforms linked to a domain using clues from DNS records and subdomains.

These capabilities make historical DNS data a very useful resource for improving security posture and gaining deeper insights into domain activity and associated risks.

How to check DNS history?

To check DNS history:

• Use a historical DNS lookup tool like our DNS Chronicle Lookup.
• Enter the domain name you want to investigate.
• Review the historical data on DNS records, including changes and updates over time.

Alternatively, you can refer to the WhoisXMLAPI's DNS Database Download service or use the DNS Chronicle API. These data delivery models provide detailed, time-stamped DNS records and could come in handy when you need to automate requests for historical DNS records.

How to use DNS history for security threat detection?

DNS history can help identify suspicious activity or patterns, such as:

• Sudden changes in name servers or IP addresses that could indicate repurposing a domain for a phishing or malware campaign.
• Rapid changes in A or AAAA DNS records – a technique called fast-flux that helps evade traditional detection methods, which is often an indicator of malicious activity.
• Domains with records pointing to known malicious infrastructure (based on IoCs provided by threat intelligence).

By analyzing DNS history, security teams can detect and respond to potential threats proactively.

How to use DNS history for threat actor monitoring?

DNS history can reveal connections between domains and threat actors by:

• Tracking repeated use of specific IP addresses or name servers and other patterns in DNS record changes linked to known attackers.
• Revealing additional threat actor infrastructure through DNS patterns, as well learning new details about their methods and activities.
• Monitoring threat actor infrastructure migration and proactively identifying yet-to-be-used infrastructure.

This helps cybersecurity providers keep tabs on threat actors' evolving tactics and infrastructure.

How to use DNS history for fraud detection?

DNS history aids fraud detection by uncovering:

• Record changes that align with phishing or scam activities such as rapid switching of IP addresses (A and AAAA records) or name servers.
• Use of disposable or suspicious DNS records with low TTL values or lack of legitimate MX records that normally should be present.
• Historical data linking fraudulent domains to known malicious networks such as common name servers, IP addresses, and registrars.

These insights help investigators trace and mitigate fraudulent schemes.

How to use DNS history for asset discovery?

DNS history provides a comprehensive view of domain activity, which can:

• Identify domains or subdomains tied to your organization that could pose risks if left unmonitored or used maliciously by others after expiration or transfer.
• Highlight forgotten or unmonitored digital assets such as old subdomains or backup domains that might still be publicly accessible and can serve as entry points for attackers if not secured properly.
• Uncover DNS issues like misconfigured DNS records that could expose sensitive data such as internal services, sensitive IP addresses, or cloud resources.

By leveraging DNS history, organizations can improve visibility and security of their digital assets.

How to use DNS history for brand protection?

DNS history supports brand protection by allowing you to detect:

• Cybersquatting domains impersonating your brand that have suspicious IP changes or repeated use of nameservers linked to phishing campaigns. Such changes may indicate malicious intent of the domain owners.
• Potentially malicious traffic that could signal website defacement attempts. Website application firewalls (WAFs) can block such traffic from known malicious IP addresses that are requesting access to your website.
• Suspicious subdomains linked to your own infrastructure that may signal subdomain takeover.

We recommend using DNS history together with predictive threat intelligence feeds for better results and correlation when it comes to brand protection efforts. Read our blog post to learn more about using DNS history for brand attack prevention.