A "DNS database" is a database that stores DNS records, notably A-records, which IP a domains is hosted at.
For currently live domains, domain to IP can of course be easily determined on the fly by just resolving the domain like the browser does, e.g.
cirosantilli.comWhat is hard however is:
- the other way around is harder however: given an IP, list all domains that it hosts. This is known as "reverse IP" searching.
- historic data, i.e. what was the IP for a given domain at a given date and vice versa
As of 2023, working with DNS data is just going through a mish-mash of closed datasets/expensive APIs.
We really need some open data in that area.
- opendata.stackexchange.com/questions/1951/dataset-of-domain-names
- opendata.stackexchange.com/questions/2110/domain-name-system-record-a-database
- webmasters.stackexchange.com/questions/33395/find-the-ip-address-of-expired-domains/142751#142751
- superuser.com/questions/686195/how-to-find-the-last-ip-used-for-an-expired-domain-name/1793224#1793224
Some links of interest:
- bushart.org/topic/ip
- archive.org/details/internet-mapping
- stackoverflow.com/questions/307553/possible-to-download-entire-whois-database-list-of-registered-domains (deleted question, see archives)
- www.reversedns.ch/en/ has some OK reverse IPs, but you have to do them one by one with CAPTCHA, and we were already past that point when that source was found, so nothing new was found on it yet
- iphistory.net/ announced at www.reddit.com/r/OSINT/comments/1bip8j7/iphistorynet_find_historic_ip_addresses_from/
Bibliography:
- www.reddit.com/r/OSINT/comments/1j8uasm/does_domaintools_offer_historical_reverse_ip_ie/ by Ciro Santilli
- www.reddit.com/r/OSINT/comments/ne27qi/really_historical_whois/
- www.reddit.com/r/dns/comments/1f4y0mg/any_onestopshop_type_sites_that_are_better_for/
- www.arin.net/reference/research/whowas/ you need to request access and they need to approve your usage. Bastards.
They do have historic reverse IP search at dns-history.whoisxmlapi.com/api but their data is not obviously more complete than viewdns.info, e.g.: as of March 2025:Their whois data seems better quality however.
- 62.22.60.56
- viewdns.info/reverseip/?t=1&host=62.22.60.56 has traveltimenews.com from 2011
- dns-history.whoisxmlapi.com/api is empty
- 66.175.106.158
- viewdns.info/reverseip/?host=66.175.106.158&t=1 has a hit from 2011
- dns-history.whoisxmlapi.com/api is empty
As of 2025, you can do historical whois for free on the API demo under whois-history.whoisxmlapi.com/ but it only shows the 3 newest records.
To unlock that, you have to create an account, which gives you 500 credits, and then:They do normalize Gmail dot trick, but not for the
- tools.whoisxmlapi.com/whois-history-search: each full historical whois report for a domain costs 50 points
- tools.whoisxmlapi.com/reverse-whois-search: each historical reverse whois search search costs 1 point
googlemail trick.TODO is their database amazing?
TODO do they offer historical reverse IP?
assets.applytosupply.digitalmarketplace.service.gov.uk/g-cloud-14/documents/708941/255941323840717-pricing-document-2024-04-17-1304.pdf is an epic document under the gov.uk domain and marked:and marks Iris Investigate as starting at $15k USD for 250 Queries / Month
HIGHLY CONFIDENTIAL - For use only by DomainTools employees and other audiences under NDA only
Acquired by DomainTools in 2021. ChatGPT says it was the most complete DB ever.
Some interesting analysis by Parth Shukla twitter.com/pparth | www.linkedin.com/in/parth-shukla-59583b20/:
Apparently most of the routers were Chinese. No surprise there.
This is the most accessible DNS database online, as it does not require login or payment.
They have reasonable data. It's not fully complete as Ciro Santilli saw on CIA 2010 covert communication websites, but it is very valuable.
Tested as of 2025, they seem to have removed the pre-IP checks on web interface, and just instead use Cloudfare to check that you are human from time to time, which allows for a lot manual searching to be done! Awesome!
Previously, tou could only get about 250 queries on the web interface, then 250 queries per free account via API. They check your IP when you signup, and you can't sign in twice from the same IP. They also state that Tor addresses are blacklisted. They also normalize dots in gmail addresses, so you need more diverse email accounts. But they haven't covered the
.gmail vs .googlemail trick.Their data is also quite disjoint from the data of the 2013 DNS Census. There is some overlap, but clearly their methodology is very different. Some times they slot into one another almost perfectly.
Very curiously, their reverse IP search appears to be somewhat broken, or not to be historic, e.g.We've contacted viewdns.info support and they replied:This is likely not accurate, more precisely it likely only works if it was the last IP address, not necessarily a current one.
- viewdns.info/iphistory/?domain=vuvuzelanews.com hits 74.116.72.246 in 2011, later moved to others
- viewdns.info/reverseip/?host=74.116.72.246&t=1 however does not contain
vuvuzelanews.com
The reverse IP tool will only show a domain if that is it's current IP address.
Data format overview: opendata.stackexchange.com/questions/1951/dataset-of-domain-names/21077#21077
TODO was this data also obtained illegally like the Carna botnet
Articles by others on the same topic
There are currently no matching articles.