Investigator Use
SecurityTrails is a domain and DNS intelligence platform providing historical DNS records, subdomain discovery, current and historical WHOIS data, and associated IP infrastructure for any domain. It is one of the most comprehensive sources for passive DNS data available to investigators, maintaining years of historical records across hundreds of millions of domains.
What investigators use SecurityTrails for: discovering all subdomains associated with a target domain, viewing historical DNS A, MX, NS, and TXT records to understand infrastructure changes over time, finding other domains that previously pointed to the same IP address, and identifying the true IP of hosts currently behind Cloudflare or other proxies.
What data SecurityTrails exposes: current and historical DNS records for any domain, subdomain lists generated from passive DNS and certificate transparency, associated IP addresses and their hosting history, WHOIS registration history with registrar changes, mail server configurations, and linked domains that share infrastructure characteristics.
Historical DNS data is one of SecurityTrails' most valuable features for OSINT. When a domain operator moves their servers behind Cloudflare, the real IP is hidden — but SecurityTrails often shows the A record that existed before the CDN was put in place. This technique, called origin IP discovery, is critical in domain attribution investigations.
Subdomain enumeration: SecurityTrails' subdomain endpoint returns hundreds or thousands of subdomains for large organizations, many of which will not appear in certificate transparency logs or standard enumeration tools. These subdomains often expose staging environments, internal tools, and forgotten test servers.
API access: SecurityTrails offers a free tier with limited daily queries, a personal plan for researchers, and enterprise plans with bulk API access. The free tier provides enough for basic investigations, but large-scale subdomain enumeration requires a paid plan.
In a workflow: use SecurityTrails immediately after identifying a target domain. Run subdomain discovery, then check historical A records for each subdomain to identify real IP addresses. Feed discovered IPs into Shodan and Censys to enumerate exposed services. Cross-reference WHOIS history to identify registrant changes that might indicate domain transfer or seizure.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
ARIN
Domain OSINT
ARIN is a nonprofit, member-based organization that administers IP addresses & ASNs in support of the operation and growth of the Internet.
Central Ops
Domain OSINT
Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6.
Cert Graph Crawler
Domain OSINT
An open source intelligence tool to crawl the graph of certificate Alternate Names
DNS History
Domain OSINT
DNS History archives historical DNS records, letting investigators track IP changes, hosting migrations, and infrastructure pivots over time.
DNS twister
Domain OSINT
DNS Twister generates and monitors domain permutations for typosquatting detection, brand protection, and phishing infrastructure discovery.
Domain Tools
Domain OSINT
DomainTools provides WHOIS lookup, IP history, domain ownership records, and reverse WHOIS for domain and infrastructure investigation.