Skip to content

Docs

Guides

Changelog

CtrlK
Docs

Advanced Knowledge

WHOIS and DNS Profiling

WHOIS and DNS Profiling

Use WHOIS, DNS, and passive DNS to profile attacker infrastructure.

Last updated: February 2026

Purpose and Scope

WHOIS and DNS data reveal registration details, resolution history, and infrastructure relationships. Passive DNS captures historical DNS resolutions, showing how domains and IPs were connected over time. This playbook covers using these data sources to profile attacker infrastructure.

Prerequisites

  • WHOIS tools: Command line whois, web services, or APIs
  • DNS tools: dig, nslookup, or online services
  • Passive DNS access: Services like SecurityTrails, Farsight DNSDB, or RiskIQ
  • Indicator context: Domains or IPs to investigate

WHOIS Analysis

What WHOIS Provides

  • Registrant name, organization, and contact info
  • Registration and expiration dates
  • Registrar information
  • Name servers
  • Update history

Key Fields to Examine

  • Creation date: Recently registered domains are higher risk
  • Registrant: Privacy services hide real owners; may indicate evasion
  • Registrar: Some registrars are more common in malicious campaigns
  • Name servers: Shared name servers may link related domains
  • Email addresses: Can pivot to find other domains by same owner

Red Flags in WHOIS

  • Domain registered within past 30 days
  • Privacy protection on domains claiming to be businesses
  • Registrant location inconsistent with claimed identity
  • Free email addresses for business domains
  • Short registration periods (1 year typical for malicious)

DNS Analysis

Record Types to Query

  • A/AAAA: IP addresses the domain resolves to
  • MX: Mail servers; may reveal infrastructure
  • TXT: SPF, DKIM, DMARC records; can indicate legitimacy
  • NS: Authoritative name servers
  • CNAME: Aliases pointing to other domains
  • SOA: Start of authority with admin contact

DNS Investigation Steps

  1. Query current DNS records for the domain
  2. Identify the IP addresses in A/AAAA records
  3. Check name servers for shared infrastructure
  4. Review MX records for mail infrastructure
  5. Examine TXT records for authentication setup

DNS Red Flags

  • No MX record for domain claiming to send email
  • Missing or misconfigured SPF/DKIM/DMARC
  • Name servers on bulletproof hosting
  • Very low TTL values (frequent changes expected)
  • Resolution to known malicious IP ranges

Passive DNS

What Passive DNS Provides

Historical DNS resolution data collected from sensors:

  • All IPs a domain has resolved to over time
  • All domains that have resolved to an IP
  • First seen and last seen timestamps
  • Record count indicating query volume

Passive DNS Use Cases

  • Domain history: Where did this domain point in the past?
  • IP history: What domains have used this IP?
  • Infrastructure mapping: Find related domains and IPs
  • Fast flux detection: Rapid IP changes indicate malicious infrastructure
  • Domain generation: Patterns in DGA domains

Pivoting with Passive DNS

  1. Start with known malicious domain or IP
  2. Query passive DNS for historical resolutions
  3. Identify IPs the domain has used
  4. Find other domains that used those IPs
  5. Repeat to map the infrastructure

Passive DNS Services

Commercial Services

  • Farsight DNSDB: Large passive DNS database with extensive history
  • SecurityTrails: DNS and WHOIS intelligence platform
  • RiskIQ/Microsoft: Passive DNS and web crawling data
  • DomainTools: WHOIS and DNS intelligence

Free Services

  • VirusTotal: Limited passive DNS in domain reports
  • SecurityTrails (free tier): Basic lookups with rate limits
  • RiskIQ Community: Limited free access

Infrastructure Profiling Workflow

  1. Start with indicator: Domain or IP from alert or intelligence
  2. WHOIS lookup: Get registration details and timeline
  3. Current DNS: Identify current infrastructure
  4. Passive DNS: Map historical relationships
  5. Pivot to related: Find connected infrastructure
  6. Check reputation: Validate against threat intelligence
  7. Document: Record findings and relationships

Common Attack Infrastructure Patterns

  • Parking pages: Domains resolve to common parking IPs before activation
  • Fast flux: Rapid DNS changes to evade blocking
  • Domain shadowing: Subdomains created on compromised legitimate domains
  • Bulletproof hosting: Infrastructure in jurisdictions resistant to takedowns
  • Cloud abuse: Using cloud providers for temporary infrastructure

Escalation Guidance

Escalate when profiling reveals:

  • Infrastructure linked to known threat actors
  • Multiple domains in your logs connected to same attacker infrastructure
  • Evidence of targeted campaign against your organization
  • Active C2 infrastructure with significant connections

References

Previous

URL Analysis with urlscan

Next

OTX and Community Feeds

Was this helpful?

Logo

Block phishing attacks instantly.

Built by RedPhish LLC. All Rights Reserved. Copyright 2025.

Terms & Conditions

Privacy Policy

Compare

Guardio AlternativeMalwarebytes AlternativeNorton AlternativeAvast AlternativeBitdefender Alternative

Resources

DocumentationBlogPricingFAQ