Reverse WHOIS refers to retrieving all the available information about a particular domain name. For example, you can use any detail typically seen on a WHOIS record (e.g., a domain owner’s name, company name, email address, etc.) to search for all domain names that have that data point in their WHOIS records.
Think of it this way, say you witnessed a hit-and-run incident and wish to report the perpetrator to the police. You noted the car’s plate number down to do so. To find out who the driver is, investigators can run the plate number on the vehicle registration database to determine its owner. If the owner was driving, he/she could be charged. If not, he/she can point the police officers in the right direction. In this scenario, searching the vehicle registration database for the car owner’s name using his/her plate number as input is the reverse WHOIS process.
Other interesting terms…
Read More about “Reverse WHOIS”
Reverse WHOIS lookups rely on the information indicated in domain names’ WHOIS records. But before going deep into the process, let’s talk about WHOIS first.
What Is WHOIS?
While WHOIS may look like an acronym, it isn’t. Pronounced as “who is,” it is a query and response protocol widely used to query databases that store information on the registered users of Internet resources, such as domain names or IP addresses. Any reverse WHOIS tool user can access and read the database’s content.
What Information Can Reverse WHOIS Provide?
A reverse WHOIS search provides the following information:
- Domain name
- Domain’s age, including the domain’s creation, last update, and expiration dates
- Domain’s registrar
- Domain’s WHOIS server/s
- Domain’s nameserver/s
- Domain’s status
- Domain’s registrant, administrative, and billing details, including:
- Contact’s name
- Contact’s organization name
- Contact’s complete street address, including city, state/province, postal code, country, phone number, and email address
What Search Terms Can You Use to Perform a Reverse WHOIS Search?
You can use any information seen on a WHOIS record as a reverse WHOIS search term. Here’s an example using the name of infamous cybersquatter John Zuccarini as a registrant name search term.
The reverse WHOIS search tool we used showed 48 domains that contained the exact match of his name in the Registrant Contact: Name field.
You can also use any of the following as reverse WHOIS search terms, which give the corresponding results.
| Search Term | Result |
| Domain name (e.g., threat[.]media) | All domain names containing the same strings |
| Nameserver (e.g., carl[.]ns[.]cloudflare[.]com) | All domain names that share the same nameserver |
| WHOIS server (e.g., whois[.]godaddy[.]com/) | All domain names that share the same WHOIS server |
| Status (e.g., clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited) | All domain names with the same status |
| Registrar name (e.g., GoDaddy.com, LLC) | All domain names managed by the same registrar |
| Email address (only appears if the domain’s WHOIS record isn’t privacy-protected) | All domain names registered using the same email address |
| Registrant/Administrator/Billing contact’s name, organization, email address, city, country, postal code, state, street address, phone number, or fax number (only appear if the domain’s WHOIS record isn’t privacy-protected) | All domain names with the same registrant/administrator/billing contact details |
What Are the Benefits of Reverse WHOIS?
Reverse WHOIS searches are helpful for cybercrime investigations, threat intelligence gathering, and brand protection.
- Using publicized indicators of compromise (IoCs) as reverse WHOIS search terms can lead to discovering other domains that could be related to a specific threat. An investigation on web defacers, for instance, uncovered 20,000+ domains that used the same registrant email addresses with domains identified as threat IoCs.
- You can create attack profiles with a cyber attacker’s name, alias, or email address. Reverse WHOIS searches allow you to retrieve domains that could be part of a threat infrastructure.
- Collate a list of all the domain names that have ties to a malicious campaign, threat actor, or criminal enterprise via reverse WHOIS searches.
- Catch potential trademark infringers using your brand name or trademark as a search term. Compile the information you obtained to serve as evidence when you file for a Uniform Domain-Name Dispute-Resolution Policy (UDRP) complaint.
What Are the Uses of Reverse WHOIS?
You can use reverse WHOIS tools to:
- Enrich cybercrime investigations: Given a cybercriminal’s email address, for example, you can compile a list of associated domains that could be part of his attack infrastructure. So, if you’re a member of an organization’s IT security team, you can block access to the web properties you identified to provide the utmost network protection. All the information can also be made part of the attacker’s portfolio.
- Enhance brand protection efforts: If you’re a brand protection agent, you can uncover potential trademark infringers by using a brand or trademark as a search term. The reverse WHOIS lookup results can help you gather more conclusive evidence for litigation.
What Forms Do Reverse WHOIS Tools Come In?
There are at least three common forms of reverse WHOIS tools—an application programming interface (API), a web lookup tool (like this one, for instance), and a database.
Organizations that want to integrate reverse WHOIS capabilities into their existing software can use the API. Meanwhile, those who don’t need to but still need the information reverse WHOIS searches provide can use a readily accessible web tool. Finally, users who can analyze massive databases can opt for a reverse WHOIS database. This format can also be integrated into existing systems.
—
You now know what reverse WHOIS is. With its help, you can implement better cybersecurity for your business, enhance your investigations if you’re in law enforcement, or protect your brand and, ultimately, business reputation.
