How to Query Historical DNS Records (NS/MX) for Domain Hosting Investigation


2 views

When investigating a domain's hosting history, we're essentially looking at DNS record changes over time. This becomes crucial for scenarios like:

  • Recovering access to old email accounts (MX records)
  • Investigating domain migration patterns
  • Security incident investigations

There are several technical approaches to query historical DNS data:

1. DNS Archive Services

Services like SecurityTrails, DNSDB, and WhoisXMLAPI maintain historical DNS data:

// Example using SecurityTrails API (Node.js)
const axios = require('axios');

const getHistoricalDNS = async (domain) => {
  const response = await axios.get(
    https://api.securitytrails.com/v1/history/${domain}/dns/a,
    { headers: { 'APIKEY': 'your_api_key' } }
  );
  return response.data;
};

getHistoricalDNS('example.com')
  .then(data => console.log(data.records));

2. Passive DNS Replication

Tools like Censys or VirusTotal aggregate DNS data from various sources:

# Python example using VirusTotal API
import requests

url = "https://www.virustotal.com/api/v3/domains/example.com/historical_whois"
headers = {"x-apikey": "your_api_key"}

response = requests.get(url, headers=headers)
print(response.json())

Here's a complete script to check historical MX records using multiple sources:

#!/usr/bin/env python3
import requests
from datetime import datetime

class DNSHistoryChecker:
    def __init__(self, api_keys):
        self.apis = {
            'securitytrails': api_keys.get('securitytrails'),
            'virustotal': api_keys.get('virustotal')
        }
    
    def check_mx_history(self, domain):
        results = {}
        
        # SecurityTrails implementation
        if self.apis['securitytrails']:
            url = f"https://api.securitytrails.com/v1/history/{domain}/dns/mx"
            headers = {'APIKEY': self.apis['securitytrails']}
            try:
                response = requests.get(url, headers=headers)
                results['securitytrails'] = self._parse_securitytrails(response.json())
            except Exception as e:
                results['securitytrails_error'] = str(e)
        
        # Additional API implementations...
        
        return results
    
    def _parse_securitytrails(self, data):
        records = []
        for item in data.get('records', []):
            records.append({
                'first_seen': item.get('first_seen'),
                'last_seen': item.get('last_seen'),
                'values': [mx.get('host') for mx in item.get('values', [])]
            })
        return records

# Usage example
if __name__ == "__main__":
    checker = DNSHistoryChecker({
        'securitytrails': 'your_api_key_here'
    })
    print(checker.check_mx_history('example.com'))

When API solutions aren't available, consider:

  • Checking domain WHOIS history (services like whoisrequest.com)
  • Searching through Wayback Machine (archive.org) for old DNS configuration pages
  • Looking for DNS zone file leaks in public repositories

Remember that:

  1. Data completeness varies between providers
  2. Some services only retain data for 1-2 years
  3. Free tiers often have strict rate limits
  4. Accuracy depends on how frequently the service collects DNS data

For commercial needs, consider:

Service Data Retention API Rate Limit
SecurityTrails 10+ years 50/month (free)
DNSDB 7+ years Varies by plan
WhoisXMLAPI 5+ years 1000/month (starter)

When migrating hosting providers or recovering old email accounts, developers often need to reconstruct a domain's DNS history. Unlike WHOIS records which may show ownership changes, nameserver and MX record history isn't centrally archived - but there are technical approaches to uncover this data.

1. Using Passive DNS Databases

Services like SecurityTrails and DNSDB maintain historical DNS snapshots:


# Python example using SecurityTrails API
import requests

api_key = "YOUR_API_KEY"
domain = "example.com"

response = requests.get(
    f"https://api.securitytrails.com/v1/history/{domain}/dns/ns",
    headers={"APIKEY": api_key}
)

print(response.json())

2. Checking Zone Files via AXFR

If the previous nameserver allows zone transfers:


# Bash dig command for zone transfer test
dig @old.nameserver.com example.com AXFR

3. Web Archive Services

The Wayback Machine sometimes captures DNS configurations:


# Checking archived DNS records
curl "http://web.archive.org/web/timemap/json/http://example.com"

When trying to recover an old hosted email account:

  1. Query historical MX records using SecurityTrails API
  2. Identify the mail server IP ranges
  3. Cross-reference with hosting provider IP allocations
  4. Contact the identified provider with ownership proof
  • DNS TTL caching may show outdated records
  • Private nameservers often lack historical data
  • Some registrars overwrite historical WHOIS data

When technical methods fail:

  • Check domain registration emails for hosting receipts
  • Search old website backups for DNS configuration files
  • Review server migration documentation if available