Saturday, September 1, 2012

Research Tip: When WHOIS doesn't work

WHOIS is a great service when trying to find who owns a domain. Of course, if the domain isn't legitimate, then much of the WHOIS data is probably fake. That said, there's one thing that people can't typically fake: the email address. At least we have that to start with right?

So, there you are, trying to find out who owns this rather shady looking domain name. You hop over to your favorite domain lookup website, or your terminal and...

Whois listing for from

Oh no! It's private! But wait, there's more than one way to find the email linked to a domain. Time to ask DNS for the magical mail record!

Manual nslookup ANY query

Yes... it's that easy. We find that seems to own this domain, despite efforts to hide the fact. Of course this doesn't work all of the time, but it does work quite often, especially when either a) the domain previously was not "privately" registered or b) when the owner purchased/transferred the domain to a hosting provider that automagically sets up all the DNS servers, web servers, etc for the user.

Should that not work, we can try sending the same ANY record DNS request directly to the server hosting the website. (in nslookup: "server <IP of website>") Why would a webserver give us this juicy DNS record? When users setup a domain in Plesk or cPanel, they often fill out all of the questions/forms they can, including email info. Many of these installations have a DNS server running locally, perhaps not actually even used, but the settings, including the domain's responsible mail address, get pushed to the DNS server locally. When you query directly to the server, you'll often get exactly what the user entered during setup, regardless of what's listed in WHOIS.