
Find every domain someone owns automatically - tzury
https://securitytrails.com/blog/find-every-domain-someone-owns
======
tzs
The results page should always show what your search term was. Currently it
only shows this when the search finds something. If nothing is found, all it
does is tell you that nothing was found.

That leaves you with no way to check to make sure you entered the right term,
other than typing it again. If you are typing it right but auto-correct is
kicking in when you hit enter, even trying again might fail because your site
responds fast enough that you might not have time to notice the change before
the results page comes up.

Also, it might be helpful when someone searches for a domain at a TLD that you
do not support to say on the results page that the TLD is not supported.

~~~
scrollaway
+1 on search term! And if you enter a domain that doesn't exist, it throws you
back to the homepage with no way to fix it :(

Another feature request: When entering an IP, there's very little information
available on it (only the hosting provider). Would be nice to get latlong,
country etc (a la [https://www.iplocation.net/](https://www.iplocation.net/)).

Because seriously, that is an insanely cool database. I can even find all the
sites that share my domain's Cloudflare IPs.

~~~
mxpxrocks10
awesome. thanks for the feedback! great idea, we'll implement this week. Would
love to stay in touch.

------
greggman
I didn't look into what this is doing but it's not finding 1/2 of my domains
(they are not private). I'm guessing it's not "Find every domain someone owns"
it's "Find every domain that meets X criteria" which may more may not be every
domain someone owns.

~~~
scaryclam
Yeah, I was fairly unimpressed when it didn't even manage to lookup the first
domain I entered (it's not new and it's not private). I guess it might be
useful for some domains, but there's no way I'd rely on it.

~~~
mxpxrocks10
Same about this one. Any further info so we can enhance the user experience
would be awesome. We have a tough time still with ccTLDs because registries
locking down the zone files. Any more info or suggestions appreciated.

------
megous
Must say, I'm not a fan of yours or similar services, or whois databases for
that matter. Privacy should be easier on the internet for people owning domain
names.

~~~
andreasley
Why do you think privacy should be easier for domain owners? Shouldn't it
instead be easy for a visitor to find out who owns the domain and is
responsible (content, technical or legal) for a certain site?

~~~
chrisper
Not everyone needs to know my home address. Especially not for a domain I use
for emails.

Way too many weird people out there.

~~~
always_good
Also, any content that people could take issue with. Any hobbies I might have
that I wouldn't share on facebook.

This is why I lie in my whois data, to the horror of the goody two-shoes on HN
I'm sure.

The whois data is a great place to start a social engineering hack. The
address or any past address is often used for identity.

------
toomuchtodo
How do you plan on handling the EU’s “right to be forgotten” (it’s pretty
straightforward to make the argument you’re a search engine) and other
components of the GDPR?

~~~
togus
"The right to erasure" is not an absolute right for anyone to get all their
data deleted. If the data owner (read: the registrars) still have a legal
right to collect and maintain the data public and it has not been revoked one
could argue that they (security trails) don't have to remove the data.

It's my understanding that the registrars are the ones with the burden here.
They need to inform everyone of the data erasure and/or data updates on
private information. Fun times when you have public information for anyone to
gather on the internet. It could be that there are exemptions for these kind
of services, I do not know, but would the exemption not also include the
services that aggregate/collect historic information as well?

Disclaimer; I am not a lawyer. I am not well versed in GDPR. Anyone finding
this interesting should go read up on GDPR.

~~~
heinrich5991
>one could argue that they (security trails) don't have to remove the data.

It doesn't work that way. The "right to be forgotten" can be used to remove
search results from Google, even if the original content stays up.

~~~
togus
Interesting! From a quick google the following wikipedia citation seems to
what you are referring to: Grounds for removal include cases where the search
result(s) "appear to be inadequate, irrelevant or no longer relevant or
excessive in the light of the time that had elapsed."[1]

Under GDPR, Security trails (company or person that operates it) could be
classified as a "Data controller" [2] and then would of course be liable to
delete information gathered about a person upon request and when the data is
deemed to be "inadequate, irrelevant or no longer relevant or excessive". So
for example, John Doe wants to remove the historic information that he used to
own porn.com which he doesn't anymore.

However, I do not think it's clear that you have to delete the data for the
current owner of porn.com due to his or hers need for privacy as long as they
have collect the information lawfully.

As an actual advice to the people at security trails I would recommend they
put up clear instructions on how to request a data erasure from their
database. Like "Email erasure@securitytrails.com to request removal of your
personal information" and what information they need to delete it.

[1]
[https://en.wikipedia.org/wiki/Google_Spain_v_AEPD_and_Mario_...](https://en.wikipedia.org/wiki/Google_Spain_v_AEPD_and_Mario_Costeja_Gonz%C3%A1lez)

[2]
[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)

Edit: formatting

~~~
ratherbefuddled
Actually the first thing Security Trails have to do is to figure out under
which legal basis they think they have the right to process personal data.
This is fundamental to figuring out their duties. I strongly suspect they
don't have a legal basis in GDPR terms and therefore would need to rely on
consent. The much publicised "right to be forgotten" is the very least of
their worries.

------
blixt
This can't be "The World's Largest Repository" when half my domains are "not a
valid domain" according to the tool.

------
wiradikusuma
It doesn't work for privacy-protected whois (obviously), but it also doesn't
work for .id domains (try [http://every.id](http://every.id),
[http://awesome.id](http://awesome.id) or
[http://player.id](http://player.id)).

~~~
mxpxrocks10
We'll add .id to the wish list. Tricky because they don't make the zone file
avail, but we'll figure something out. Thanks for the note.

------
noja
It's like Uber all over again. This is expressly forbidden with most
registries, especially European ones.

------
epalmer
It says I own 86 domains but is using my given names and not my email address.
My name is not unique. Hardly a valuable service. I own less than 10 for the
record.

~~~
mxpxrocks10
suggestions on how to make it more effective for your use case?

------
nerdponx
Is this just a reverse indexed WHOIS database? If so, it's no surprise that my
domains don't appear in yhe results: I signed up for Whois anonymization
through my DNS provider. I was recently considering unsubscribing, so thank
you to the creators of this for reminding me that my privacy is under attack
at all times and I should do whatever I can to protect it.

~~~
Jach
That's what I think too, and I definitely don't own millions of domains.

Be careful about trusting privacy protection plans. A spam email came to me
recently showing the unmasked info and I still have no idea how it acquired
its data...
[https://www.thejach.com/view/2017/10/google_whois_protection...](https://www.thejach.com/view/2017/10/google_whois_protection_doesnt_protect)

------
vxNsr
I'm finding that sometimes it'll turn up the data correctly and other times it
won't match what I can find by manually typing in addresses into
domains.google

As in this service will claim all data is private when google is able to
return the actual registrant email address and/or name. As well as valid phone
numbers which don't match what dnstrails is outputting.

~~~
mxpxrocks10
thanks for the note and testing. Would love to dig into any specific use cases
so we can see whats going on. chris at securitytrails.com

~~~
sebazzz
Try damsteen.nl for instance, my blog, it shows no whois at all.

~~~
mxpxrocks10
got it - thanks!

------
ohashi
I think [http://whoisology.com](http://whoisology.com) has been doing this for
ages.

~~~
hughesey
So has [http://viewdns.info](http://viewdns.info). Free too.

~~~
qubex
Great resource, thanks.

------
laurencei
Just tried it with some of my own details. Found a domain I forgot I owned on
an old reseller I havent used in a while - lol.

On a more serious note - I'm very curious how you get such a long history of
domains. i.e. I can see every DNS change and ownership for any domain - I
didnt realise that was always available?

~~~
mxpxrocks10
Hi! We acquired 4 companies that have been doing lots of cool data work. We
also license and collect our own data to mix in. There's different granularity
depending on the data (WHOIS history, Name Server history, DNS record history,
technologies used) etc. We're constantly improving it.

The thesis we have is that if you get hacked, it often times is through an old
server or satellite domain. We're building tools to help you find the extended
surface area where you can be hacked or have downtime. The example of you
finding an old domain is a prefect use case.

~~~
jsjohnst
Just out of curiosity, was one of those companies originally named
DeletedDomains.com? They had the full root zone (of the ones now managed by
Verisign GRS anyway) since approximately 2001 (my involvement with them was
2003).

~~~
mxpxrocks10
hey - no. wwws.io, dnstrails.com were the main ones for this data

------
bartvk
I'm pretty sure this goes against European (or at least Dutch) privacy laws
because it's not just company domains being searched. There isn't any privacy-
overriding reason to keep a database with this kind of identifying
information. Since these laws are currently barely enforced, nothing will
happen of course.

More info in Dutch: [https://blog.iusmentis.com/2017/11/08/internationale-
domeinb...](https://blog.iusmentis.com/2017/11/08/internationale-
domeinbeheerder-staat-afschermen-domeininfo-toe/)

------
mobilemidget
\o/ I own 5 million domains... wait a minute do I pay for all of those?!

~~~
mxpxrocks10
hey, can you give a little more info? Are you sure it's not picking up on some
other part of the registrant?

~~~
bpicolo
Whoisguard variants.

------
kuschku
So, for .de it just returns either NULL, undefined, or empty for everything,
for .eu it errors out entirely, and for the domains of me it does find, it has
wrong data.

kuschku.de has, for the past 2 years, always pointed at 51.15.1.223 or
163.172.217.134, never at 204.236.227.242. Funnily, for other domains pointed
at the same IPs, it has correct data – e.g. quasseldroid.info correctly shows
the IP history.

The datasets used here seem of questionable quality, souring the taste of this
awesome feature.

~~~
mxpxrocks10
hey- would love it if you can drop me an email (in profile) so we can
debug/improve.

.DE is particularly hard because they lock down the zone file. GTLDs like
.INFO are easier to get because the zone files are open. We have 9 years daily
granularity for the gTLDs.

Would love to clean up the U/X so it's clear what we have data for and what we
don't to be completely transparent.

Thanks for the note.

~~~
kuschku
Your profile doesn’t have any email address in it, but you can just check
[https://dnstrails.com/#/domain/domain/kuschku.de](https://dnstrails.com/#/domain/domain/kuschku.de)
vs.
[https://dnstrails.com/#/domain/domain/quasseldroid.info](https://dnstrails.com/#/domain/domain/quasseldroid.info)

For example, WHOIS info
[https://i.imgur.com/WNpyvcl.png](https://i.imgur.com/WNpyvcl.png) should
maybe show something like "none available", or "no WHOIS info is available for
.de", or "go to denic.de to see WHOIS info" (DENIC offers the WHOIS info, if
you enter the captcha). On the other hand,
[http://whois.domaintools.com/kuschku.de](http://whois.domaintools.com/kuschku.de)
(a competitor) correctly shows the WHOIS.

Second, with the domain – I have no idea how the wrong value ended up on
there.

~~~
computer22
Hi kuschku, thanks for providing us with the samples with the outdated/missing
data. We will definitely look into the case and continue to enhance the data
we collect.

The UI enhancements you mention are excellent - we will implement this shortly
(not only for .de but for any case where we can not output any values).

Feel free to contact us at the e-mail address given at the bottom on every
dnstrails page!

------
wimagguc
What’s interesting is that it correctly finds Namecheap whois-guarded domains
too. If I search for the guarded domain directly it shows the correct record
as the owner’s address/etc being WhoisGuard, but then if I search for a non-
guarded domain and click through from the identified name, it does list the
guarded domains as well (!)

~~~
nerdponx
The OP said something about zone files earlier, so it's possible that they're
getting their data from more than just Whois lookups.

------
markdown
It said I owned 45 domains, and listed 10 that I actually own along with 35
I've never owned, heard of, or ever been associated with.

I have a _very_ common english name.

Annoyingly, some of the domains it inaccurately says I own are NSFW. They need
to put a big disclaimer on the results page pointing out that the results
aren't necessarily accurate.

------
brad1043
I know that GoDaddy blocks WHOIS requests like crazy. How are you able to
'bypass' that restriction at such scale?

~~~
mxpxrocks10
Hi. There's some good info online.

[https://www.icann.org/resources/pages/approved-with-
specs-20...](https://www.icann.org/resources/pages/approved-with-
specs-2013-09-17-en)

Check out section 3.3.6

------
shadowashe
BinaryEdge does something like this but also for IP addresses and then
security rates them [https://blog.binaryedge.io/2017/11/23/organization-
mapping/](https://blog.binaryedge.io/2017/11/23/organization-mapping/)

------
bananamansion
searched google.com. turns out they own the url.. android.porn

~~~
IncRnd
They have that domain so that nobody else uses it.

~~~
Jaruzel
I have a few of those. :)

------
techbubble
Is it possible to include WHOIS data from way back when InterNIC was the only
registrar?

I own a domain I registered way back when you would send an email to InterNIC
and registration was free. The WHOIS data returned for the domain only starts
in 2008 and skips about 12-14 years.

------
graysonk
Hmm is there a technical write up of how you are pulling this data?

I tried one of our companies for fun and it’s only pulling 1.4million records
in one place and then 65,000 in another. Doesn’t seem to have all our
nameservers or relays either.

~~~
jsjohnst
Based on the supported TLDs, I’m guessing they are pulling down the root zone
tables from Verisign GRS. Verisign licenses the Whois data in bulk out to
companies like theirs.

------
CodeWriter23
Looks like I own around 289,000+ domains that I’m not aware of.

~~~
mxpxrocks10
awesome. hopefully your creditcard isn't on file for the renewals :-) . we'd
love to hear about any bugs- chris at securitytrails.com

------
empressplay
GoDaddy is now masking _all_ DNS info whether you pay for their "privacy"
service or not, so thats making a substantial black hole in this data

~~~
brad1043
What do you mean they mask all DNS info? You mean whois info? Can you provide
an example?

------
Hasz
Couldn’t get it to work with .rs domains.

That being said, cool tool!

~~~
mxpxrocks10
<sigh> these country code domains. LOL. We bought and built up
[http://www.domainlists.io](http://www.domainlists.io) so we can add some more
stuff like this in. I'll make sure we add .RS to the action items. Thanks for
the feedback and enjoy!

------
richardkeller
This is great. Is there are a list of supported TLDs? For example, I'm not
having much luck with .co.za (South African) domains.

~~~
qubex
.IT (Italy) neither.

------
jgh
i guess this doesn't work for private registration. E.g. Domains by Proxy's
phone number has ~11 million domains.

~~~
mxpxrocks10
We have a really fun blog post coming out for this next week or so. One of our
team found a pretty big bug in certain private registrations. Stay tuned.

~~~
ploggingdev
Can you give a gist of your findings?

I'll take a guess : customers are given unique whois protected email addresses
allowing you to find all the domains owned by the person. Eg- If I own abc.com
and xyz.com, both have the same public email address. The problem with such
bugs is that there's no way to undo the damage since historical whois records
are archived.

~~~
mxpxrocks10
you nailed it. It goes a little further with what you can see and how easy it
is but right on point! If you notice anything else people would find
interesting, feel free to post it or email me (in profile).

------
qubex
This is brilliant.

But a question: why is one website I know of (and that resolves, and that has
valid DNS entries) comes up blank?

~~~
mxpxrocks10
hey, thanks for checking. Shoot over what you're looking at to hello at
dnstrails.com and we'll investigate.

------
brad1043
Also, is your WHOIS data for each domain "live", meaning it's being queried in
real time?

~~~
mxpxrocks10
1\. for the current record displayed on the domain results page, it's live but
then has a short cache after the first time it's pulled on the public site.

2\. For the whois registrant search, it's around 90 days old right now, but
we're working on techniques to make it more current.

------
puppetmaster40
Very nice! Also... scary.

------
moonka
That is very handy.

~~~
stanislavb
Although it didn't work as I expected.

~~~
mxpxrocks10
Hey, we're still kind of new and kicking the tires. Any UX feedback or data
feedback is appreciated!

~~~
regecks
It's pretty much missing or empty data for the entire .au TLD (e.g. even
google.com.au is not present).

Living here, I know that their whois server rate limits heavily and the ccTLD
zonefile is not available, so I'm guessing those are probably contributing
reasons. Do you guys do any crawling at all?

I think this is a fantastic concept though. Knowing that whois database and
zonefile access is often protected for commercial motivations, it really irks
me. Open it all up.

~~~
mxpxrocks10
right now we're getting .au domains from Open Crawl. It's tricky because the
zone file is not available like you mentioned. If anyone has any ideas on how
to get more .au domains, we'll gladly implement.

~~~
jlgaddis
CT logs come to mind, if you aren't using them already.

DNS queries, if you have access to recursive resolvers.

~~~
mxpxrocks10
we're using CT logs for getting hostnames (you can see it at the top of the
page of any domain).

We have a great recursive resolver source but haven't been able to integrate
it into the data pipeline yet.

thanks for the note and ideas!

------
rootsudo
Scary, yet useful as fuck.

