The Domain Research Suite (DRS) Guide for Journalistic and Media ResearchDownload PDF
As an aggregator of WHOIS, DNS, and IP data, WhoisXML API can help back up journalistic investigations with verifiable online facts about domains and websites. Researchers and media professionals can use our 9-in-1 hosted Domain Research Suite (DRS) platform to investigate suspicious domains, detect domain registration trends, keep track of the government’s or private sector’s actions towards errant websites, and more.
This post details several examples of how DRS enables gathering information about websites and their current and past owners as part of our Research and Media Collaborations program.
1. Digging Into the WHOIS History of Suspicious Domains
Let’s take a look at the domain name happipuppies[.]com, which has been flagged as malicious by various malware check engines. What can WHOIS History tell us about its ownership and connections?
- Look up the domain name’s historical WHOIS record on DRS’s WHOIS History Search functionality. You can access the full report online or download the PDF version by clicking on “Download PDF.”
- Check the domain ownership history. WhoisXML API has tracked happipuppies[.]com for over 500 days since its first creation on August 2, 2020. DRS can dig deeper for much older domains.
For happipuppies[.]com, DRS has detected 272 WHOIS record changes and six historical WHOIS records, more than half of which are unredacted.
- Analyze the public registrant details. WHOIS history revealed one public owner of happipuppies[.]com: Harvey Alama of Harvey Consulting, with email address [email protected][.]com.
- Check for other domains under the registrant name. When you click on any of the registrant details, a list of further actions includes building a current or historic Reverse WHOIS report. Selecting either option gives you a list of domains containing specific registrant details in their current or historical WHOIS records.
While you can build reverse WHOIS reports on any registrant details, let’s use the email address for this particular analysis. There are 114 domains that have [email protected][.]com as their current registrant email address. The current Reverse WHOIS report is shown below:
On the other hand, a historic Reverse WHOIS search returned 172 domains that used the email address at some point in their registration history.
- Monitor the registrant. Seeing that the registrant email address is currently used in several other domains, you might find it useful to get alerted of any of its domain activities. To do that, click on the registrant email address and select “Add to Registrant Monitor.”
This action will tell DRS to monitor domain registrations, updates, renewals, and expirations made using the registrant email address.
You can edit the monitor and add more search terms to narrow down the results. Click on “Edit monitor” and add terms to be included or excluded in the monitoring.
2. Uncovering Domain Registration Trends
News-worthy events often reflect spikes in domain registration trends, which can be uncovered through DRS. Follow these steps to get a list of domains related to current events:
- Search for domains containing a particular text string on DRS’s Domains & Subdomains Discovery functionality. For example, the tool returned 10,000 domains that contained the word “meta” added since CEO Mark Zuckerberg announced the company’s change of name from Facebook to Meta.
On the other hand, 779 domains using the word “omicron” were added since the World Health Organization (WHO) declared it a variant of concern on November 26, 2021.
- Export the list of domains as Comma Separated Value (CSV) file. Click on the “Export CSV” button at the upper right-hand corner of the result page.
3. Monitoring Website Seizures
The United States government and private organizations like Microsoft take down websites involved in illicit activities. These are events that can be detected through DRS. Here is how to do it:
- Find out the new registrant details of the seized domain. Using DRS’s WHOIS Search functionality, type in the seized domain name. For example, let’s cite primenuesty[.]com, one of the domains seized by Microsoft’s Digital Crimes Unit for its association with the Nickel APT group. The current registrant name is Digital Crimes Unit, with email address [email protected][.]com.
- Perform a Reverse WHOIS Search on the registrant information. Click on the registrant detail you want to look up, and build a current Reverse WHOIS report. This action will return all domains that use the same registrant detail in their current WHOIS record.
For our example, DRS returned 2,161 domains with “Digital Crimes Unit” as their registrant name.
- Monitor the registrant. You can stay ahead of website seizures by tracking domain additions, updates, and expirations made by the registrant. For convenience, you can add the registrant to the Registrant Monitor by clicking on it. Alternatively, you can go to the left pane and click on Registrant Monitor.
About WhoisXML API
WhoisXML API is a leader in WHOIS, domain, IP, and DNS intelligence. Our Domain Research Suite (DRS) boasts 9-in-1 tools that allow you to access 11.5+ billion WHOIS records and 1.4+ billion domains and subdomains under 2, 864+ TLDs and ccTLDs.