In the modern threat landscape, the domain name is the silent anchor of digital infrastructure. While many security teams focus on endpoint detection or network perimeter defense, domain intelligence offers a critical proactive advantage: visibility into adversarial infrastructure before it's weaponized.
Espectro OSINT is your platform for open source intelligence.
Attackers maintain persistent infrastructure to support campaigns. A ransomware gang might operate from dozens of domains but rotate the IP addresses daily. A phishing operation might use similar patterns across multiple registrants. A nation-state infrastructure might share hosting providers with other operations. By mastering domain intelligence, analysts can:
Passive DNS (pDNS) is a repository of historical DNS resolution data collected from multiple vantage points across the internet. Unlike active DNS queries that generate real-time lookups and generate logs on target infrastructure, passive DNS is captured from existing traffic and provides a complete historical record.
Internet Service Providers, DNS resolvers, and security vendors collect DNS query/response pairs as they traverse the network. These records are then aggregated into a database indexed by domain, IP address, and time period. When you query passive DNS, you receive a timeline showing every IP address a domain has resolved to, from when the record was first observed until the last observation. This historical view reveals infrastructure changes, rotation patterns, and timing relationships.
Passive DNS reveals attacker infrastructure patterns:
WHOIS is the public record database maintained by domain registrars. Every registered domain includes registrant contact information (name, email, phone, address), registrar details, nameservers, and registration/expiration dates. This information is invaluable for attribution.
Threat actors often make mistakes when registering malicious domains:
A financial fraud ring operated 47 malicious domains. Initial WHOIS lookups showed different registrant names. However, detailed analysis revealed that 44 of the 47 domains used the same phone number (+44-20-xxxx-xxxx format) with only the last digit varying in a sequential pattern. This registrant correlation proved that a single operator controlled nearly the entire infrastructure, dramatically simplifying law enforcement attribution and takedown operations.
Every HTTPS website uses an SSL/TLS certificate—a digital document containing a public encryption key and identifying information. Each certificate is cryptographically signed and has a unique fingerprint (a hash of its contents).
When an attacker generates a self-signed certificate (common in malware C&C infrastructure), they typically:
By collecting SSL certificates from suspicious domains and comparing their fingerprints and metadata, you identify which domains are operated together. Certificate transparency logs (like crt.sh) make this practical—you can search for all certificates issued to a specific domain or organization name in seconds.
A researcher investigating a phishing domain found its SSL certificate contained the issuer name "Phishing Infrastructure v2.1". Searching certificate transparency logs for that issuer name returned 340+ certificates issued to different phishing domains. All 340+ domains were confirmed to be part of the same attacker's phishing campaign. The attacker's oversight in reusing the same certificate issuer name across the entire operation provided complete visibility into their scale.
Infrastructure mapping takes individual intelligence signals (passive DNS records, WHOIS data, certificates) and combines them into a comprehensive graph of attacker assets.
Start with a known attacker domain or IP. Then expand through:
| Signal Type | What to Find | Next Step |
|---|---|---|
| Passive DNS | All historical IPs for a domain | Reverse-DNS those IPs to find other domains |
| Reverse IP Lookup | All domains hosted on an IP | Query passive DNS for those domains |
| WHOIS Registrant | Contact email/phone/name | Search WHOIS for other domains with that registrant |
| Nameservers | NS records used by a domain | Find other domains using the same nameservers |
| SSL Certificates | Certificate fingerprint/issuer | Search cert transparency logs for matching certificates |
| ASN | Autonomous System Number of hosting ISP | Find IP ranges in that ASN, then reverse-DNS those ranges |
By iteratively applying these techniques, you expand from one domain into a complete operational infrastructure map. Well-mapped infrastructure reveals scale, redundancy strategies, third-party hosting relationships, and potential single points of failure for takedown operations.
Here's a practical approach to domain-based threat hunting:
Start with known indicators: a malicious domain from a breach notification, an IP from your network logs, or a phishing URL from user reports. Document what you know and why you suspect it's malicious.
Query passive DNS for the seed domain. If the IP address has been stable, you've found infrastructure endpoints. If it's rotated weekly, examine the full rotation pattern. Look for timing changes (rapid rotation may indicate infrastructure compromise).
Collect WHOIS records for domains from Phase 2. Look for repeated registrant contact information. Search for all domains registered to those contacts. Document any variations or obfuscation attempts.
Collect SSL certificates from identified domains. Search certificate transparency logs for related certificates. Map nameservers, hosting providers, and ASNs. Build a graph connecting all related assets.
Cross-reference findings with known threat intelligence. Do identified infrastructure clusters match known threat actors? Are timing patterns consistent with known campaigns? Document confidence levels for each attribution.
Professional domain investigation requires specialized tools:
Domain intelligence should be a routine part of your security operations:
When responding to a breach or suspected compromise, early domain intelligence reveals how the attacker's infrastructure fits into the broader threat landscape. This guides investigation scope and helps identify secondary targets.
Maintain an internal database of attacker infrastructure indicators (domains, IPs, registrants, SSL patterns). As new incidents occur, add to the database. Queries against this database accelerate future incident response.
Regularly execute threat hunting workflows against known attacker infrastructure. Identify backup domains registered in advance, new infrastructure prepared for future campaigns, or indicators of infrastructure compromise or takeover.
Master advanced domain investigations with verified infrastructure data. Espectro Pro Create Free Account consolidates passive DNS, WHOIS analysis, certificate intelligence, and infrastructure mapping into a single platform—enabling faster threat hunting and attribution.
Passive DNS (pDNS) is a repository of historical DNS resolution data collected from multiple vantage points without interfering with actual network traffic. Unlike active DNS queries that alert the target, passive DNS allows analysts to investigate infrastructure without detection. It's crucial for threat hunting because attackers often rotate IP addresses frequently but maintain stable domain names. By querying pDNS, you can map all historical IPs associated with a malicious domain, revealing hosted infrastructure, timing patterns, and connections to other attacker-controlled domains.
WHOIS data—registration contact information, nameservers, and registrar choice—reveals patterns that link separate domains to a single operator. Threat actors often reuse the same contact email, phone number, or registrant name across multiple malicious domains. Analyzing WHOIS registrant information across domains reveals actor infrastructure clusters. Additionally, examining nameserver patterns (many attackers use specific bullet-proof hosters), registration timing, and registrar choices reveals operational patterns. Correlating WHOIS registrant variations with other indicators of compromise builds actor attribution profiles.
SSL/TLS certificates are X.509 digital documents that contain a public key and identifying information about the certificate holder. Each certificate has a unique fingerprint—a hash of the certificate contents. Attackers often generate multiple certificates for different domains but may accidentally reuse the same private key or certificate generation tool, producing similar fingerprints. By collecting SSL certificates from suspicious domains and comparing their fingerprints, you can identify which domains are operated by the same threat actor. Certificate transparency logs (like crt.sh) make this analysis practical at scale.
Professional-grade domain intelligence tools include: Shodan for IP-based infrastructure discovery, VirusTotal for aggregated security intelligence, Censys for certificate and host analysis, SecurityTrails for WHOIS and DNS historical data, and Passive Total for pDNS and threat correlation. For free options, DomainTools, SpyOnWeb, and MXToolbox provide basic WHOIS and DNS lookups. For at-scale OSINT investigations, integrated platforms like Espectro consolidate these data sources and add verification layers, reducing the time spent switching between tools.
Infrastructure sharing detection combines multiple signals: (1) Common nameservers—domains pointing to the same NS records are likely controlled by one operator. (2) Common IP addresses—passive DNS showing both domains resolved to the same IP at any point indicates relationship. (3) SSL certificate sharing—domains using the same certificate or certificate fingerprint. (4) WHOIS registrant correlation—matching registrant contact information, even if slightly obfuscated. (5) Common Autonomous System numbers (ASNs)—both domains hosted by the same ISP. Using all signals together is more reliable than any single indicator.
Infrastructure mapping is creating a visual or logical graph of how threat actor assets are connected. It involves identifying all known domains/IPs associated with an actor, then connecting them through shared infrastructure signals (nameservers, SSL certificates, registrants, IP space, hosting providers). Infrastructure maps reveal operational scale, supply chain relationships, decentralization strategies, and single points of failure. A complete infrastructure map allows you to identify backup domains (useful for understanding actor resilience), sharing arrangements with other actors, and ISP/hosting provider relationships that may support takedown operations.
Domain intelligence findings should be verified through multiple independent sources: (1) Cross-reference passive DNS records with multiple pDNS providers (data can vary based on collection points). (2) Verify WHOIS contact information against historical records (registrant info changes over time). (3) Validate certificates by consulting certificate transparency logs directly rather than secondary sources. (4) Use reverse IP lookups to confirm IP-to-domain relationships. (5) Check hosting provider records directly for current status. (6) Correlate findings with known threat intelligence from trusted sources. If findings depend heavily on a single data source, confidence is lower.
Domain intelligence is generally legal because it analyzes publicly available information. However, specific practices require care: (1) Active DNS queries against domains may generate logs that alert the target—use passive DNS instead if investigating covertly. (2) Port scanning or network probing of IPs is illegal in many jurisdictions without authorization. (3) If WHOIS data contains personal information, GDPR compliance applies in the EU. (4) Some hosting providers restrict scraping of their infrastructure data. Best practice: use aggregated intelligence platforms that handle compliance and provide verified data rather than performing active reconnaissance yourself.