How to Check DNS History on Linux, Mac

Secably Research
Jul 12, 2026
8 min read
Network Security
Dns History How-To Lookup Tutorial
How to Check DNS History on Linux, Mac
How to Check DNS History on Linux, Mac
Understanding a domain's past DNS configurations is vital for security investigations. A dns history lookup reveals changes in IP addresses, nameservers, and mail servers over time. This information helps track infrastructure shifts, identify potential mergers, or detect malicious activity.

You will track the historical DNS records and registration details for a target domain. This process aids in understanding a domain's infrastructure evolution and ownership changes.

Prerequisites

  • A Linux or macOS environment with standard command-line tools.
  • Internet connectivity.
  • Basic familiarity with DNS concepts.

Step-by-Step Instructions

Step 1: Perform a Current DNS Lookup

Start by gathering the domain's current DNS records. This establishes a baseline for comparison. Use the dig command for comprehensive DNS queries. Replace example.com with your target domain.
dig A example.com +short
dig NS example.com +short
dig MX example.com +short
dig TXT example.com +short

Expected output will vary but will resemble current DNS records:

# dig A example.com +short
93.184.216.34

# dig NS example.com +short
ns01.example.com.
ns02.example.com.

# dig MX example.com +short
10 mail.example.com.

# dig TXT example.com +short
"v=spf1 include:_spf.example.com ~all"

These commands provide the current A (address), NS (nameserver), MX (mail exchanger), and TXT (text) records. For a quick online alternative, use Secably's DNS lookup tool to retrieve various record types instantly.

Step 2: Retrieve Domain Registration History with WHOIS

The WHOIS database stores registration information for domains. This includes creation dates, update dates, and registrar changes. Querying WHOIS provides a foundational layer for dns history lookup.
whois example.com

The output is extensive. Look for key fields like Creation Date, Updated Date, Registrar, and Name Server history. Note any changes in registrars or nameservers over time. These indicate significant shifts in domain management or hosting.

Domain Name: EXAMPLE.COM
Registry Domain ID: 2337777_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.example-registrar.com
Registrar URL: http://www.example-registrar.com
Updated Date: 2023-10-26T14:30:00Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2024-08-13T04:00:00Z
Registrar: Example Registrar, Inc.
Registrar IANA ID: 9999
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS01.EXAMPLE.COM
Name Server: NS02.EXAMPLE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2023-11-01T10:00:00Z <<<

The Creation Date and Updated Date fields are critical for understanding the domain's age and last modification. Changes in Registrar or Name Server entries over time indicate administrative or hosting transitions. Some WHOIS responses, especially for older domains, might contain historical nameserver entries that are no longer active.

Step 3: Examine Certificate Transparency Logs

Certificate Transparency (CT) logs record every SSL/TLS certificate issued for a domain. These logs often reveal subdomains and IP addresses associated with a domain over time, even if they are no longer active. This provides an excellent source for historical subdomain and IP associations.

Use crt.sh to query CT logs. This command retrieves JSON formatted data for certificates issued to your target domain and its subdomains.

curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u

This command pipes the JSON output to jq, extracting all name_value fields (domain names from certificates), then sorts and displays unique entries. The output lists all subdomains for which certificates were issued, giving a historical view of the domain's attack surface. Many of these might no longer be active. Secably also offers a subdomain discovery tool, which can help enumerate current subdomains, complementing this historical view.

example.com
mail.example.com
www.example.com
blog.example.com
dev.example.com
old-service.example.com

Observe subdomains that might indicate past services or infrastructure. For instance, old-service.example.com suggests a decommissioned application. This helps identify forgotten assets or potential shadow IT, a key aspect of external asset discovery.

Step 4: Consult the Internet Archive (Wayback Machine)

The Wayback Machine archives snapshots of websites over time. While not a direct DNS record history, it shows what content was hosted at a domain's IP at different points. This indirectly confirms domain activity and content changes, which often correlate with DNS changes.

Retrieve a list of archived URLs for the domain using the Wayback Machine's CDX API:

curl -s "http://web.archive.org/cdx/search/cdx?url=example.com/*&output=json&fl=timestamp,original&limit=5" | jq .

This command fetches the five most recent timestamps and original URLs. Review the timestamps to see when the domain was active and what content was present. Browse specific archives to understand the site's historical appearance and functionality. This helps correlate DNS changes with actual website content changes.

[
  ["20230915100000", "http://example.com/"],
  ["20230801123000", "http://example.com/index.html"],
  ["20230720080000", "http://example.com/about.html"],
  ["20230605140000", "http://example.com/contact.html"],
  ["20230510090000", "http://example.com/privacy.html"]
]

Each entry shows an archived timestamp and the corresponding URL. You can then visit https://web.archive.org/web/<timestamp>/<original_url> to view the archived page. This provides context on what was hosted on the domain at different points, offering clues about underlying infrastructure changes.

Step 5: Utilize Specialized DNS History Services

Several online services specialize in collecting and providing historical DNS data. These services often maintain extensive databases of past DNS records, including A, MX, NS, and CNAME records. They aggregate data from various sources over many years.

While specific commands are not universal for all services, you typically use their web interfaces. Examples include SecurityTrails, ViewDNS.info, and DNSstuff. These platforms offer detailed timelines of DNS changes. Some offer free lookups for basic data, while others require subscriptions for full historical access.

For example, a search on ViewDNS.info for "example.com" would show a table of historical A records, nameservers, and mail servers, along with the dates they were observed. This is often the most direct method for a comprehensive dns history lookup over many years.

These services provide a consolidated view of changes to A, MX, NS, and TXT records. They often show the exact dates when specific records were observed. This granular data is invaluable for pinpointing when an IP address changed, or when new mail servers were configured, which might indicate a change in hosting provider or email service. For example, if a domain's A record suddenly points to an IP address belonging to a different cloud provider, it signals a infrastructure migration. Tools like Zondex can also provide insights into exposed services and historical configurations through broad internet scanning data.

Step 6: Investigate IP Address History (Reverse DNS and WHOIS)

If you identify historical IP addresses for a domain, investigate their own history. An IP's WHOIS record reveals its allocation, owner, and block history. Reverse DNS lookups (PTR records) can show what other domains were hosted on that IP at different times.

Perform a WHOIS lookup on a historical IP address:

whois 93.184.216.34

This output reveals the IP block owner (e.g., an ISP, cloud provider), allocation dates, and contact information. This helps attribute the historical hosting of the domain to a specific entity. Look for OrgName, NetRange, and Country fields.

NetRange:       93.184.216.0 - 93.184.216.255
CIDR:           93.184.216.0/24
OriginAS:       AS203226
Organization:   Example Hosting Provider
Registration Date: 2010-01-01
Last Updated:   2020-05-01
...

Then, perform a reverse DNS lookup for an IP address. While dig -x often shows current PTR records, some specialized tools or passive DNS services can reveal historical PTRs. For current PTRs:

dig -x 93.184.216.34 +short

This shows the current hostname associated with the IP. Historical reverse DNS is more challenging to obtain without specialized passive DNS databases. However, identifying the IP owner from WHOIS helps understand the hosting environment over time.

example-host.examplehosting.com.

This output indicates the hostname currently associated with the IP address. If this hostname is different from your target domain, it suggests the IP might be shared or was used for other purposes historically.

Verification Steps

Verify your dns history lookup by cross-referencing data from multiple sources. Compare the WHOIS creation date with the earliest certificate transparency log entries. Check if Wayback Machine archives align with periods when specific IP addresses were active according to historical DNS services.

  • Cross-reference Dates: Ensure that dates from WHOIS (creation, update) roughly align with the earliest observations in CT logs or specialized DNS history services. Significant discrepancies might indicate data anomalies.
  • IP Address Consistency: If historical DNS services show specific A records for a period, verify that the corresponding IP's WHOIS information aligns with the expected hosting provider for that time.
  • Subdomain Persistence: Confirm if subdomains discovered via CT logs have corresponding entries in the Wayback Machine or current DNS records. This helps differentiate between ephemeral and persistent infrastructure.
  • Name Server Changes: Compare historical nameserver entries from WHOIS with those found in DNS history services. Major changes often correlate with hosting provider migrations.

Troubleshooting Section

Issue 1: Incomplete or Missing Historical Data

Problem: You cannot find extensive historical DNS records for a domain, especially for older periods or specific record types.

Solution: Not all DNS changes are publicly archived or indexed by every service. Some specialized passive DNS databases (e.g., Farsight DNSDB, RiskIQ PassiveTotal) offer more comprehensive historical data but are often paid enterprise solutions. Increase your search scope by trying more specialized DNS history tools like SecurityTrails or ViewDNS.info. They often have better coverage than standard public records. Some domain registrars also offer historical data to the current domain owner.

Issue 2: Rate Limiting or Access Denied for WHOIS Queries

Problem: Repeated WHOIS queries from your IP address result in rate limiting or an "Access Denied" message.

Solution: Many WHOIS servers implement rate limiting to prevent abuse. Wait for a period (usually a few minutes to an hour) before trying again. Use different WHOIS servers for different TLDs (e.g., whois.nic.org for .org domains). Alternatively, use a proxy service like GProxy or a VPN like VPNWG to rotate your IP address for subsequent queries. Be mindful of ethical usage and terms of service for such tools.

Issue 3: JSON Parsing Errors with curl and jq

Problem: The jq command fails to parse the JSON output from crt.sh or other APIs, indicating malformed JSON.

Solution: First, examine the raw output from curl without piping to jq. This helps identify if the issue is with the source JSON or your jq query. The API might return an error message, an empty array, or non-JSON content under certain conditions (e.g., no data found, rate limit hit). Adjust your jq filter to match the actual JSON structure, or simplify it (e.g., jq '.') to inspect the full JSON. Ensure you have jq installed (sudo apt-get install jq on Debian/Ubuntu, brew install jq on macOS).

Check your site for vulnerabilities

Run a free security scan — no signup, results in seconds.

Related Posts

Stronger security starts with visibility.

Scan your website for vulnerabilities and get actionable insights.