DNS, WHOIS and crt.sh

import { Aside } from ‘@astrojs/starlight/components’;

These three tools are **completely free** and require no API key. They are the starting point for any domain investigation.

DNS Lookup

Queries all types of DNS records for a domain.

from src.tools.dns_tool import dns_lookup
result = await dns_lookup("acme-corp.com")

Records it queries

Record	What it contains
A	IPv4 of the domain
AAAA	IPv6 of the domain
MX	Mail servers
NS	Name servers
TXT	Free text — SPF, DKIM, ownership verifications
CNAME	Alias to another domain
SOA	Start of Authority — domain admin

What to look for

• MX records: unusual email providers may indicate use of anonymous services
• SPF/TXT: absence of SPF facilitates domain spoofing
• NS: cheap or “bulletproof” registrar nameservers are red flags
• Low TTL: may indicate domain prepared for rapid change (DGA-like)

Example output

[DNS] evil-phishing.com
  ├─ A: 185.220.101.34
  ├─ MX: mail.evil-phishing.com (priority 10)
  ├─ NS: ns1.bulletproof-hosting.ru, ns2.bulletproof-hosting.ru
  └─ TXT: "v=spf1 include:mailchimp.com ~all"

---

WHOIS Lookup

Queries domain registration information.

from src.tools.whois_tool import whois_lookup
result = await whois_lookup("acme-corp.com")

Information it returns

Field	Description
registrar	Company that registered the domain
creation_date	Original registration date
expiration_date	Expiration date
updated_date	Last update
name_servers	Current nameservers
status	Status (active, redemptionPeriod, etc.)
registrant	Registrant (if not hidden by privacy)
emails	Contact emails

Red flags in WHOIS

• Very recent registration (< 30 days): phishing domains are usually new
• Expiration soon: temporary domain
• Privacy protection: hides registrant data (common but relevant)
• “Bulletproof” registrar: some registrars are known to ignore abuse

Limitations

With GDPR, most WHOIS anonymizes registrant data. For more complete info use RDAP or premium services like DomainTools.

---

crt.sh — Certificate Transparency

Certificate Transparency is a public record of all issued SSL certificates. crt.sh indexes it and allows searching for subdomains.

from src.tools.crtsh import crtsh_lookup
result = await crtsh_lookup("acme-corp.com")

What it returns

List of subdomains found in certificates issued for that domain:

[crt.sh] acme-corp.com
  ├─ mail.acme-corp.com
  ├─ vpn.acme-corp.com
  ├─ staging.acme-corp.com
  ├─ admin.acme-corp.com
  ├─ api-internal.acme-corp.com
  └─ dev.acme-corp.com  ← Interesting!

Why it’s useful

SSL certificates are public by definition — even for internal subdomains that do not appear in public DNS. This makes crt.sh reveal infrastructure that the target has not intentionally made visible.

Additional techniques

• Wildcard search: search %.acme-corp.com to find any subdomain
• Search for the domain in the CN (Common Name) and SANs (Subject Alternative Names)
• Correlate with DNS results to identify active vs inactive subdomains

Limitations

• Only shows subdomains that have had an SSL certificate — those using only HTTP do not appear
• There may be false positives from certificates of companies with similar names