Whois History and IP address lookups are indispensable tools for investigators. With it, you can look back in time, pierce through privacy protection and assess who’s in control via name servers and other domains hosted on the same address.
Whois History is normally a premium service and it’s sometimes available with other lookup tools like Reverse Whois, Hosting history, Nameserver history and Reverse IP. In this post, we’ll compare several Whois and IP address tools and the features that apply to Internet investigations. These features include:
KEY FEATURES OF LOOKUP SERVICES
Reverse Whois (registrant contact info)
|IP address Whois
Shared servers (DNS, Mail, IP)
Hosting on nearby IP addresses
These tools are usually developed for industries with different interests. Whois History tools are often built for domain name speculators. IP address tools, on the other hand, are built for troubleshooting networks. Because of this, investigators often need more than one tool to do the job, i.e. to identify the website operator and determine how the website works.
So, which tool is right for you? I recommend testing any service that you’re considering with domain names and IP addresses that you’re familiar with. Its’ the best way to understand how each tool is different and where to use them. For this post, I included one of my own domains in the test for real-time and historical lookups. I conducted the real-time lookup by switching the IP address back and forth with a CloudFlare CDN.* Here are the services for review:
Comparison: Whois Lookup / Whois History Services
The biggest distinction between the Whois services is the depth and frequency of the data collection.
Domaintools.com is the oldest of these services and its data extends at least to 10 to 15 years deeper than the top competitors.
Older Whois data makes a difference, especially when the focus of the investigation is broad such as a continually changing landscape or a criminal network using disposable domains. In these investigations, the further back in time you can go, the greater the chance of encountering registrations, name servers or other clues pointing to a suspect. Privacy protection is also much more prevalent now than it was 10 years ago. That’s why Whois History is not my first stop when a domain is just a few years old. Some of Domaintools’ top competitors have emerged within this short time frame and that is a consideration for subscriptions.
In my tests, I found Whois history dating back to 2000 on Domaintools. On similar services, the same histories reached back to 2009 (Domainiq.com), 2012 (Whoisology.com) and 2014 (Domainbigdata.com).
In Domaintools’ new Personal plan ($99/month), subscribers can conduct up to 25 Whois History queries per month. A Domaintools’ representative told me that 95% of the user base currently search within this range. If that’s accurate, then the math suggests a full quota of 25 Whois History and 25 Hosting History queries would run about $2.00 per search.
If you run out of budget or search credits, you can try one of these alternative services. These tools maintain some historical data but appear to collect it on a more intermittent basis: Easycounter.com, Domainhistory.net, Whoisrequest.com, and Whoxy.com.
Reverse Whois is the ability to connect domains by a common registrant contact such as a name, email address or phone number. It’s a powerful tool and each subscription service packages it differently. In Domaintools’ Personal plan, subscribers connect domains via email addresses with a limit of 3 searches per month. Domainbigdata and Domainiq can search a registrant name in addition to email addresses, with Domainbigdata presently offering this for free.
With Whoisology, every field of the registration is searchable, to include phone numbers, addresses, and even the technical contact name. But, Whoisology limits these “advanced” searches to 2 per month under the Beginner Plan ($30/month). The Whois History is also limited to the most recent (or last) 8 “archived” dates. This is different than Domaintools which provides access to every record in the database.
Hosting History connects domains through a past, common IP address. Operators can rotate domains or even DNS servers through the same servers for years. This data is available for the same date range as Whois History on the tested services with the exception of Whoisology and Whoismind, which do not track this info. DNS History and Mail Server History provide similar options to expand your investigation.
Domainiq.com provides a couple bonus tools that you won’t find on the other services. Users can connect websites sharing Adsense publisher codes and Google Analytics account numbers. The reverse map search locates domain registrations with contact information located within the radius that you designate.
Comparison: IP Address Lookup / Domain Whois Services
Domaintools is the only Whois History service that also appears in my IP address tool list. But, IP addresses are not its greatest strength. As presented in a previous post, IP addresses and the tools that look them up aren’t always as standard as you may think.
Domaintools’ strength is that it is a database. It doesn’t conduct a fresh search to update the hosting and registration details in this database each time you search. I’ve seen Domaintools take several days to update a registration or hosting record and this is especially important with suspect websites because they can be responding to takedown notices and invalid Whois complaints at any time. Most IP address tools operate like this, as well.
For Real-time IP Address Lookups, two tools are consistently reliable: Centralops.net and HE.net. The first was developed by a software firm in the mid-90’s and the second operates the largest IPv6 backbone in the world. The credentials and the purposes behind the tools make a difference. Domaintools’ foundation is in domain speculation, not network troubleshooting. I like the interface on Domaintools, but I always troubleshoot the IP address data to include the country flag it represents.
ccTLD Lookups for country-level domains are another area where Domaintools falls behind, though they’re not alone. For extensions like .eu or .ru, the best practice and the best data is derived from that country’s or registry’s Whois search engine. Free tools like LE-Tool’s XL-Whois and Marcaria.com are smart enough to route these queries. Geo-location is just as tricky and I would recommend comparing results through services like Geobytes.com, IP2location.com, Maxmind.com, Neustar.biz, and DB-IP.com, which will read the “geoloc” field if provided in the record. Smart ccTLD and geo-location queries should be regular features of any subscription plan.
IPv6 Lookups also define the service. Many IP address lookup services can’t resolve an IPv6 number today and that should be surprising given the rapid rise of dual IPv4/IPv6 connections. Even Domaintools is unable to resolve an IPv6 number. From our list below, only Centralops.net, HE.net, Robtex.com and TCPIPUtils.com can process IPv6 numbers. These four free tools can also resolve the IP address for a Subdomain.
Reverse Lookups for IP address, DNS servers and Mail servers are great features for expanding your view of a website and its connections to the rest of the web. TCPIPUTILs.com and Robtex.com make it easy to expand and explore these connections through hyperlinks. ViewDNS.info takes a different approach by focusing on its tools assortment. TCPIPUtils charges a premium monthly fee ($25) to access this data. Both ViewDNS and Robtex were developed by engineers and their unique perspectives translate through the tools.
Cybertoolbelt.com is the only tool on the list developed specifically for investigators. It combines some Whois History and IP address lookup features with results that are drawn from its own database. This tool is still relatively new and the database is still developing, which is one of the reasons I did not add it to the Whois Lookup list . I wasn’t able to conduct a live lookup with this tool and I received some dated information in my test queries. Some queries like the reverse DNS search also delivered combined historical data as opposed to what is currently active. Still, there are interesting features in development, which you can get more details about from the previous review. Cybertoolbelt offers a free trial and monthly subscriptions beginning at $12 per month.
In Summary: Whois and IP address lookup services vary in features and operation. The best way to learn about these services and their data is to test them with the same queries.
For Whois History and Hosting History, Domaintools.com is the clear front runner with over 15 years of data that appears to have been crawled at regular intervals. Whoisology.com offers more reverse lookup options than Domaintools, but subscribers only get full access to the History database at the $90/mo. plan. With the recent bump to $99/mo., Domaintools is the go-to service but for many that might not mean a recurring subscription.
For IP lookups, the tools still depend on the circumstance. For reverse lookups, Robtex.com and TCPIPUtils.com still have a lot to offer the online investigator.