The OSINT Newsletter - Issue #93
Domain OSINT: It’s Free Real Estate
👋 Welcome to the 93rd issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Here’s an overview of what’s in this issue:
Introduction to Domain OSINT
Beginner tools for Domain OSINT
Case study in Domain OSINT
🪃 If you missed the last newsletter, here’s a link to catch up.
⚡ How I Discover New OSINT Methods
🎙️ If you prefer to listen, here’s a link to the podcast instead.
Let’s get started. ⬇️
Domains are the real estate of the internet. From the swishest company site, to the jankiest homepage, to the most self-indulgent blog, every website on the net is like a piece of land - and every piece of land has an owner. The “address” to this land is the domain name. So if you investigate that domain right, it could lead you straight to the landlord’s door.
In this issue, we’re exploring domain OSINT; one of the most useful (and most misunderstood) starting points for investigation. We’ll cover:
What domains can actually tell you
Beginner tools for domain OSINT
How to pivot from domains to other intel
A practical example of domain OSINT in action
By the end, you’ll know how to go from one innocent-looking URL to a whole new world of intelligence. It’s free real estate.
What is Domain OSINT?
Domain OSINT is pretty self explanatory; it’s the act of investigating a domain name and the infrastructure around it. It’s easy to assume that it’s just about “who owns this website?” - of course, that’s super important information to learn (and has cracked some very high-profile cases). But the intelligence value of the average address is much more than a less OSINT-savvy realtor would tell you. A domain connects to:
Registrant information
Hosting providers and IP ranges
Subdomains and services
Email infrastructure
Historical versions of websites
Other domains owned by the same entity
What can I actually learn from a domain?
Pretty much anything. Each of the above points of data you can get from a domain also have a corresponding intelligence use. After all, in super pretentious terms, a domain is a behavioural artifact: someone registered it, configured it, hosted it, maintained it, and used it for a purpose. Every one of those decisions leaks information, like layers of old wallpaper that tell you your house’s walls used to be puke-green. You can uncover:
Ownership: When the owner of the site got the domain, they likely had to provide the hosting provider with some identifying data: an email address, a real name, or the name of an organisation they’re connected to. You can get this data.
Connected Sites: Any subsidiaries, backups, or even scammy clones of the target domain. They could also be hosting the page within another site, or own other sites under the same personal ID - which shows up a clear link to other activity.
Email Activity: Some domains allow email hosting. A hosted email address has obvious pivot potential; you can look at MX records, plus all the other stuff we covered in our previous email issue.
Hosting Behaviour: Are they using a cheap hosting provider? Or maybe it’s bulletproof hosting, or even sophisticated enterprise infrastructure? The type of hosting your target domain uses can indicate the purpose (and dodginess) of the site.
Also consider operational maturity: a fancy term for ‘how long it’s been there.’ A newly-created site might be used like a burner phone, whilst a long-established asset domain might suggest legitimacy.
Geographic Location: You can use the address to find out where the domain is hosted; just look at the country code at the end. Also, the language used will tell you who wrote it, and who the intended audience is.
Of course, it’ll still take some classic investigator’s instinct to turn this information into insights. But even the most elusive info - intent, for example - is discoverable once you’ve got this know-how. Say you find a domain built yesterday, hosted on a bargain VPS, with no history and several clones… It’s easy to see how that could become evidence.
Beginner Tools for Domain OSINT
Now we know what domain OSINT can do, we can get into the tooling. You don’t need anything elite or expensive; our basic toolkit is all free (or freemium), fast and extremely effective.
WHOIS lookup is synonymous with domain OSINT. WHOIS search is a handy protocol that lets you search databases for information about registered users of domain names and IP addresses. That includes their contact details, the date they got the address, and more. You can also look into historical WHOIS data; ownership changes over time are often more interesting than current data.
🧱 DNS Tools
Tools like DNS Dumpster and SecurityTrails go through DNS records and associated infrastructure. Give them a hostname, and they’ll reveal subdomains, DNS changes, name servers, and any other associated digital assets the domain owner forgot to take down. In addition, you can also get statistics, like how many other hostnames have the same IP.
Reverse IP search can show you what else is hosted on the same server as your target domain. Often, people will reuse cheap hosting servers; it’s common in networks of scammers, for example. Infrastructure reuse will betray any hidden relationships.
Want to know what a site used to look like? Check it out on the Wayback Machine. The Internet Archive stores captures of sites from the past, so you can see previous versions. You might find old branding, evidence of previous owners, or deleted content. Sudden pivots (e.g. from “crypto project” to “consultancy”) are classic red flags.
📧 Email Infrastructure Checks
MX records show how the site handles email. Usually, they’re used to check if an email address is fake without sending a humiliating (or dangerous) bounceback message. However, they can do even more for domain OSINT, too. Find out which email provider they use, and whether the email works at all. A “professional” company with no proper email setup is… suspicious.
Example: Domain OSINT in Action
Let’s test our skills on an example. Imagine you’ve found a site from a company offering “international geomarketing services”. Their website is slick - full of stock photos of serious people in suits staring at maps. The domain address: red-ball-market-global.com.
You’ve called their phone number, but you’re on hold. So while you’re waiting, you do a little domain OSINT.
Step One: WHOIS Check
You plug the address into a WHOIS search, hoping to find registration details. The domain itself was registered 11 days ago via a budget registrar, which does seem suspicious for a legitimate “global” firm. They’ve also enabled privacy protections, so no contact details.
Step Two: DNS and Subdomains
You run a DNS enumeration, and turn up some results for connected subdomains: mail.red-ball-market-global.com, and portal.red-ball-market-global.com. Mail does exist - and explains the email you received. Portal redirects you to a generic login page.
Step Three: Reverse IP Search
Reverse IP search shows four other domains on the same server as red-ball-market-global.com:
tecca-corp.com
tamblays-for-menswear.com
amazing-crypto-opportunity.net
calicocutpants.com
None of these are older than two months, and their relevance to “international geomarketing” is… weak. Clearly, the original red-ball site’s owner has a diverse business portfolio. Too diverse to trust.
Step Four: Wayback Machine
In the Internet Archive, you uncover a previous version of red-ball-market-global.com. A year ago, it was selling cheap office furniture under the ‘Red Ball’ name; with Trustpilot reviews in the dirt. This confirms that you’re looking at the operator’s latest scam, not a legitimate global agency.
So, red-ball-market-global.com is one big, red, spherical flag. But at least their hold music was catchy.
Key Takeaways
Hopefully, you’ve now got your first step on the OSINT property ladder. You should know:
Who owns the internet? Domain registrars, that’s who. Every site has an owner, and every owner has their details stored somewhere.
Landlords exist: Some people have multiple sites. Connecting them is key.
Patterns are pivots: Even if the contacts are privacy protected, you can still analyse the target’s behaviour around a domain.
It’s free real estate: Domain tools are free, and good enough to get results.
See you next issue, investigators!
✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.
By upgrading to paid, you’ll get access to the following:
👀 All paid posts in the archive. Go back and see what you’ve missed!
🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.
🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.
Is there anything you can do if WHOIS information is obfuscated behind a registrar’s privacy service?