About Domain Dossier
The Domain Dossier tool generates reports from public records about domain names and IP addresses to help solve problems, investigate cybercrime, or just better understand how things are set up. These reports may show you:
- Owner’s contact information
- Registrar and registry information
- The company that is hosting a Web site
- Where an IP address is geographically located
- What type of server is at the address
- The upstream networks of a site
- and much more
Domain Dossier normally gets records from their original sources at the time you request them, but it does keep copies in memory for up to 24 hours. Thus, if someone has already requested a particular Dossier, the records shown could be up to a day old.
- Entering an address
- Address lookup
- Domain Whois record
- Network Whois record
- DNS records
- Service scan
To get started, simply enter one of the following:
You can also enter other identifiers, and Domain Dossier will act on the domains or IP addresses they contain:
Below the text box on the input form you’ll see checkboxes that allow you to select what sections you want in the report. We’ll describe those sections next.
Every Dossier begins with a DNS lookup for what you entered:
- If you entered a domain name, it looks up IP addresses for the domain.
- If you entered an IP address, it does a “reverse” lookup to get associated domain names.
Upon success you’ll see three labeled results:
- canonical name
- This is the domain name that actually has IP address records (
AAAA, if any) in the DNS.
- This is a list of domain names that ultimately point to the canonical name. (A domain name can be an alias for another [the canonical name], having only a
CNAMErecord that points to the canonical name.)
- This is a list of IP addresses associated with the canonical name and the aliases. It may contain both IPv4 and IPv6 addresses.
The dossier will include both the canonical domain name and the first IP address found.
The Whois records for a domain provide information about its registration such as:
- The name of the registrant
- Contact information
- The date of the registration
- The date that the registration expires
- Authoritative DNS servers for the domain
Domain Dossier displays Whois records for the longest registered domain that contains the domain you entered (or the domain associated with the IP address you entered). For example, if you enter
www.example.com the Whois records will be for
example.com, which is the domain that’s actually registered.
Domains often have two Whois records, one from the registry and a more detailed one from the registrar, and Domain Dossier will display both. It displays record text verbatim except that it removes bulky headers and footers when it can.
As of 25 May 2018, registrars may withhold registrant and contact information due to the GDPR.
The Whois records for an IP network provide information about its allocation or assignment such as:
- The range of IP addresses in the assignment
- The name of the organization to which the addresses were assigned
- Contact information, including abuse contacts
- The date of the assignment
Domain Dossier displays a Whois record for the IP network allocation or assignment that includes the IP address you entered (or the first IP address associated with the domain you entered). IP addresses can have multiple associated Whois records, but Domain Dossier only displays the most specific one. As with domain Whois records, it will remove bulky headers and footers when it can.
In this section, Domain Dossier retrieves and displays records from the DNS for several domains related to your input:
- The entered domain (or the domain associated with the IP address you entered)
- Registered domain of the entered domain
- Canonical domain
- Zone apex for the canonical domain
- IP address domain (under
- Zone apex for the IP address domain
Some of these domains may be the same. The “owner” domain for each record will appear in the first column.
Domain Dossier gets these records using multiple queries, usually to the authoritative nameserver. It does not use zone transfers.
Traceroute shows the path that IP packets take from our server in Dallas, TX, USA to the IP address you entered (or the first IP address associated with the domain you entered). Each row in the table represents a hop—an IP router along the path—leading to the destination on the last row. The columns are as follows:
- The hop number, with hop 1 being the first router beyond our server—our default gateway, in other words.
- Round-Trip Time in milliseconds. This is the time it takes for a packet to reach the router and be echoed back to our server. Each hop gets three tries and thus will have three round-trip times. If there’s an asterisk (
*) in a column, it means that the request packet didn’t get a reply within 1 second. Sometimes you may see other errors in the RTT columns.
- IP address
- The IP address of the router or destination host that replied to the request packet. If none of the requests got a response, there will be no IP address to show for the hop.
- fully qualified domain name
- The domain name of the router or destination host that replied to the request packet. If one of the request packets gets a response and thus an IP address for the hop, Traceroute will attempt a reverse DNS lookup on the IP address to get a domain name. If that succeeds, the domain name will appear in this column.
Traceroute is not a way to discover the name or IP address of a hacker or spammer—it just traces the network path from one known address (ours) to another (the one you entered). The first address in the path is always ours.
Traceroute works by sending ICMP echo requests and listening for TTL-expired-in-transit errors and echo replies.
If you entered an IP address or a domain that resolves to an IP address, Domain Dossier’s service scan will try contacting six common services that might be running at that address: FTP, SMTP, HTTP, POP3, IMAP, and HTTPS. For each service that responds, Domain Dossier will show you the headers or banner that it sends. The service scan helps you understand what kind of server is at the address and what software it’s running.