Investigator Use
DomainTools is one of the most comprehensive domain intelligence platforms available, providing WHOIS data with extensive history, reverse WHOIS searches, infrastructure correlation, and domain monitoring capabilities. Used by fraud investigators, threat analysts, law enforcement, and corporate security teams, DomainTools connects domain ownership data across time to reveal the full context behind any domain registration.
What investigators use DomainTools for: tracing historical WHOIS ownership to identify who registered a domain before privacy protection was applied, performing reverse WHOIS searches to find all domains registered by the same entity, analyzing domain risk scores, discovering domain infrastructure connections, and monitoring domains for changes in registration or configuration.
What DomainTools exposes: current and historical WHOIS records with registrant, technical, and administrative contact data, reverse WHOIS results linking domains by shared registrant email, phone, or name, hosting history showing IP addresses a domain has resolved to over time, registrar transfer history, domain risk scores based on registration patterns and infrastructure, and the Iris Investigate platform for visual link analysis across domain portfolios.
Reverse WHOIS is DomainTools' most powerful OSINT capability. Investigators search by registrant email, phone number, or name to find all domains ever registered with that identifier. This technique reveals the full scope of an actor's domain portfolio — including domains used in previous campaigns, domains that have since expired, and active infrastructure not yet associated with the actor.
For threat actor attribution: when a registrant uses a distinctive email address or phone number across multiple domain registrations, DomainTools links those registrations into a coherent actor profile. Even when registrants use privacy services, historical WHOIS records from before privacy protection was enabled often contain real contact information.
Access model: DomainTools requires a paid subscription for most features. The free WHOIS lookup at whois.domaintools.com provides basic current registration data, while the Iris Investigate platform and reverse WHOIS capabilities require enterprise access.
In a workflow: after identifying a suspicious domain from threat intelligence or phishing analysis, use DomainTools to check registration history before privacy protections. Run a reverse WHOIS search on any discovered email or phone number to map related domains. Feed the resulting domain portfolio into DNS History and Shodan to enumerate the full infrastructure.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
ARIN
Domain OSINT
ARIN is a nonprofit, member-based organization that administers IP addresses & ASNs in support of the operation and growth of the Internet.
Central Ops
Domain OSINT
Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6.
Cert Graph Crawler
Domain OSINT
An open source intelligence tool to crawl the graph of certificate Alternate Names
DNS History
Domain OSINT
DNS History archives historical DNS records, letting investigators track IP changes, hosting migrations, and infrastructure pivots over time.
DNS twister
Domain OSINT
DNS Twister generates and monitors domain permutations for typosquatting detection, brand protection, and phishing infrastructure discovery.
Domainiq
Domain OSINT
DomainIQ provides WHOIS research, domain name investigation, brand protection tools, and cybercrime attribution resources.