Domain History¶
The Domain History panel shows how a domain has evolved over time, tracking changes to WHOIS data, DNS records, web content, screenshots, and SSL certificates. It replaces the legacy Hosting History service with broader coverage across all domains tracked by DomainTools.
What's tracked¶
Domain History monitors changes to these data elements:
| Data Element | Description |
|---|---|
| Status | When DomainTools sees a domain as newly active, or when we've successfully resolved a domain to an A, MX, or NS in DNS within the last 10 days |
| WHOIS data | Create/expiration dates, registrar and registrant names, contact emails, and more |
| DNS data | Results of daily DNS resolutions for A, NS, MX and SOA active resolutions |
| Web content | Website title, response code, server type, trackers, and more |
| Screenshots | The date/time when a new screenshot is captured |
| SSL Certificate updates | The SHA 1 hash, validity dates, Issuer Common Name, and up to the first 5 Subject Alt Names |
How it works¶
The system tracks each data element for differential changes and generates records when a value in a tracked field changes.
Visual indicators¶
- Green shading: Newly added elements
- Short vertical bar: Marks new elements
- No special formatting: Unchanged elements
This makes it easy to scan the timeline and identify when changes occurred.
Filter by category¶
Filter the Domain History display by primary and secondary categories:
- Select the gear icon on the left of the Domain History panel title bar.
- Open Domain History: Fields Settings.
- Choose which categories to display.
- Select Save.
Toggle visibility of filtered categories using the Field button in the panel's column rows.
Coverage¶
Domain History is available for:
- Over 98% of active domains
- All domains created since 2021
For additional historical information:
- Legacy Hosting History Data Panel (via the Investigate UX)
- 20+ years of records in the WHOIS History Data Panel
Use Domain History¶
Track infrastructure changes¶
Monitor how a domain's infrastructure evolves:
- IP address changes: Identify hosting migrations
- Name server changes: Track DNS provider changes
- MX record changes: Monitor email infrastructure
- SSL certificate updates: Track certificate renewals or changes
Identify suspicious patterns¶
Look for patterns that may indicate malicious activity:
- Rapid changes: Frequent infrastructure changes may indicate evasion
- Hosting hops: Moving between hosting providers
- Certificate changes: Unusual SSL certificate patterns
- Content changes: Website title or server type modifications
Investigate campaigns¶
Track the lifecycle of threat campaigns:
- Initial setup: When infrastructure was established
- Active period: Duration of activity
- Takedown or abandonment: When infrastructure changed or went offline
Compare with other panels¶
Domain History complements other panels:
vs. WHOIS History : Domain History shows differential changes across all tracked fields : WHOIS History provides complete historical WHOIS records
vs. pDNS : Domain History shows when DNS records changed : pDNS provides detailed resolution history with timestamps
vs. Screenshot History : Domain History indicates when screenshots were captured : Screenshot History displays the actual screenshots
Best practices¶
Efficient analysis¶
- Scan for green highlights: Focus on changed elements.
- Look for patterns: Identify clusters of changes.
- Cross-reference dates: Compare with other intelligence sources.
- Filter strategically: Show only relevant categories.
Investigation workflow¶
- Review Domain Profile: Get current state.
- Open Domain History: Identify changes over time.
- Investigate changes: Use other panels for details.
- Document timeline: Note significant changes in search notes.
What to look for¶
Legitimate patterns:
- Gradual, planned infrastructure changes
- Consistent hosting and DNS providers
- Regular SSL certificate renewals
- Stable web content
Suspicious patterns:
- Rapid, frequent changes
- Hosting provider hopping
- Unusual SSL certificate patterns
- Inconsistent web content
- Changes correlating with threat intelligence
Limitations¶
- Historical data availability depends on DomainTools' data collection history
- Very old domains may have incomplete historical records
- Some changes may not be captured if they occur between collection intervals
See also¶
- Domain Profile: Current domain snapshot
- WHOIS History: Complete historical WHOIS records
- pDNS Panel: Detailed DNS resolution history
- Screenshot History: Visual website history