ZeroTrace OSINT
DNS History
Historical IP-to-host mappings — find old infrastructure, abandoned subdomains, pre-migration footprints.
DNS history is "what did this domain resolve to in the past?" and "what other hosts has this IP served over time?". Both views answer questions that a live DNS lookup cannot.
The tool combines public passive-DNS sources to reconstruct the historical view.
Two views
The tool offers two perspectives:
| View | Input | Output |
|---|---|---|
| By host | Domain name | Every IP that has historically served the domain, with first / last seen dates where the source provides them |
| By IP | IP address | Every domain that has historically resolved to the IP, useful for finding co-hosted infrastructure across time |
Why history matters
A few investigative scenarios where history beats live DNS:
- Migration tracking. Company moved from on-prem to cloud — when, and from where to where? The IP timeline tells you.
- Abandoned subdomains. A subdomain that resolved a year ago and no longer does may still be live in archive caches, may still hold credentials in old links, may even still be claimable (subdomain takeover risk).
- Shared-hosting reconnaissance. An IP that once hosted ten domains may still be hosting eight. Historical co-tenancy reveals the network of operators behind related domains.
- Domain repurposing. The same domain name resolving to wildly different IPs over time often signals ownership changes, takeovers, or domain marketplaces.
What the result shows
For host queries:
| Column | What it tells you |
|---|---|
| IP | The historical IP |
| First seen | When the source first observed this IP for this host |
| Last seen | When the source last observed this IP for this host |
| Source | Which passive-DNS feed contributed the record |
For IP queries: the same columns, with the host and IP swapped.
Pivots from a history result
| Click on... | Pivot to |
|---|---|
| Historical IP | IP geolocation, ASN lookup, reverse DNS, IP reputation |
| Historical host | Live DNS lookup, WHOIS, certificate transparency |
The cross-pivots are particularly valuable. A historical co-tenant pivot to WHOIS sometimes reveals a registrant pattern that ties an entire infrastructure cluster together.
DNS history is the tool that turns a single-domain investigation into an infrastructure-graph investigation. Run it against any IP that hosts your target — the other tenants will surprise you more often than you expect.
Coverage caveats
Passive-DNS feeds are best-effort. They depend on what their vantage points happened to observe. Coverage skews toward:
- Domains popular enough to have appeared in queries the feed could see.
- IPs with web services exposed and crawled.
- Records that lived long enough to be captured.
A blank history result does not mean a domain has no history — it means the feeds we query did not see one. Cross-check with WHOIS created/updated dates if a domain looks suspiciously new.
Sources
- HackerTarget passive DNS.
- AlienVault OTX passive DNS.
Both sources are queried in parallel; the tool merges and dedupes the results, surfacing the source per row.