Obtain WHOIS history for a domain

Prev Next

Silent Push enables security teams to track WHOIS record changes for a domain, visualizing its movement across IP space and potential ties to malicious infrastructure.

Obtain a WHOIS history

  1. Navigate to DNS Data > WHOIS History.

  2. Specify a domain.

  3. Use Collected Before and Collected After fields to set a timeline.

  4. Click Search.

Work with WHOIS results

Results display on the Explore screen with:

  1. WHOIS Record First Created: Initial registration date.

  2. Latest SOA Record: Current zone authority details.

  3. Nameserver Reputation Scores: Risk assessment for each nameserver.

A graphical timeline shows WHOIS changes within the specified dates. Hover over changes to view details (e.g., old vs. new values).

Screenshot 2024-04-02 at 11.47.42.png

A tabulated view lists changes by date, with expandable rows highlighting modifications in red (old value) and green (new value).

Screenshot 2024-04-02 at 11.51.54.png

Security use cases

  • Track domain ownership changes to detect potential hijacking.

  • Identify associations with malicious infrastructure via nameserver or IP shifts.

  • Monitor registrar changes for signs of unauthorized transfers.

Monitor WHOIS Changes

  1. On the Explore screen, click the Monitor button (top right).

  2. Specify a Monitor Name and Description.

  3. Click Save.

  4. View monitored queries in Monitors > Monitored Queries.

Monitors run every 24 hours, sending email alerts for new results. Refer to the Silent Push documentation for sharing monitors.