DNS History Lookup: Track DNS Changes Over Time

DNS records change. Domains move between hosting providers, mail servers get upgraded, IP addresses rotate, and authentication records are added or modified. DNS history tools capture these changes over time, creating a timeline of a domain's infrastructure evolution. This data is valuable for security research, migration planning, troubleshooting, and competitive analysis.

What DNS History Shows

A DNS history lookup retrieves past DNS records for a domain, showing what values were configured at specific points in time. Depending on the tool and data source, you can typically see historical records for:

• A and AAAA records -- The IP addresses the domain pointed to over time.
• MX records -- Which mail servers handled incoming email.
• NS records -- Which nameservers were authoritative for the domain.
• TXT records -- SPF policies, DKIM keys, DMARC configurations, domain verification tokens.
• CNAME records -- Aliases and where they pointed.
• SOA records -- Zone metadata including serial numbers and refresh intervals.

Each historical entry typically includes the record value, the first-seen date, and the last-seen date. Some sources also include TTL values and the geographic location of the resolver that captured the data.

How DNS History Data Is Collected

There is no centralized archive of DNS records. DNS is a distributed, real-time protocol defined in RFC 1035. Once a record is changed, the old value is no longer served by authoritative nameservers. Historical data exists only because third parties actively collect it.

Passive DNS

Passive DNS systems capture DNS query/response pairs from cooperating resolvers and network sensors. When a resolver answers a query, the response is logged with a timestamp. Over time, this builds a historical record of what every domain resolved to. Major passive DNS databases include Farsight DNSDB, VirusTotal, and SecurityTrails.

Active Scanning

Some services actively query DNS records for large sets of domains on a regular schedule (daily, weekly, or monthly). They store each snapshot and make the history available through a web interface or API. This approach captures records that might not appear in passive DNS if they are rarely queried.

Zone File Access

Some TLD registries (notably .com, .net, and .org) provide zone file access to approved researchers and commercial entities through ICANN's Centralized Zone Data Service (CZDS). These zone files list all domains in the TLD along with their nameserver records, providing a complete snapshot at the time of download.

Use Cases for DNS History

Security Investigations

DNS history is a core tool in threat intelligence and incident response:

• Mapping attacker infrastructure. When a phishing domain is identified, DNS history reveals what IP addresses it used, which can be cross-referenced with other malicious domains sharing the same IPs.
• Identifying domain hijacking. A sudden change in nameservers or A records can indicate that a domain was compromised. Historical records establish a baseline for comparison.
• Tracking fast-flux domains. Malware command-and-control domains frequently rotate IP addresses. DNS history captures this rotation pattern.
• Investigating email spoofing. If your domain's DMARC reports show unauthorized senders, cross-referencing the sending IPs with DNS history can reveal which domains or services those IPs are associated with.

Migration Planning

When migrating to a new hosting provider, DNS host, or email platform, historical records serve as a reference:

• Baseline documentation. Before making changes, capture a snapshot of all current DNS records. DNS history tools provide this if you did not document it yourself.
• Rollback reference. If a migration goes wrong, DNS history shows exactly what records were in place before the change, making it straightforward to revert.
• Identifying orphaned records. Old A records pointing to decommissioned servers, SPF includes for services no longer in use, and CNAME records for defunct subdomains are common. DNS history helps identify when records were last relevant.

Troubleshooting

When email delivery or website accessibility breaks and you are not sure what changed, DNS history fills the gap:

• "It was working yesterday." Compare today's records with those from a week or month ago to identify what changed.
• TTL-related propagation issues. If you changed a record but some users still see the old value, DNS history confirms what the old value was and when the change was first observed.
• Third-party changes. If a service provider changed their IP addresses and your SPF or CNAME records are now stale, DNS history reveals when the mismatch began.

Verify your current records resolve correctly using the InboxTooling DNS lookup tool.

Competitive and Market Research

DNS history provides signals about a company's technology stack and infrastructure decisions:

• Hosting provider changes. A record history shows when a domain moved between hosting providers.
• Email platform changes. MX record history reveals when a domain switched from one email provider to another.
• CDN adoption. CNAME changes to CDN endpoints indicate when a domain started using a content delivery network.
• Growth indicators. Adding subdomains, new MX records, or additional SPF includes can signal business growth.

Free and Commercial DNS History Tools

Free Tools

SecurityTrails offers a free tier with limited historical DNS lookups. It provides A, AAAA, MX, NS, TXT, and SOA history for any domain.

VirusTotal includes passive DNS data in its domain reports. The free tier allows limited lookups, and historical data comes from multiple contributing resolvers.

ViewDNS.info provides a simple IP history tool that shows what IP addresses a domain has pointed to over time.

Whoisology tracks WHOIS and DNS changes with some free lookup capability.

Commercial Tools

Farsight DNSDB is the largest passive DNS database, with data going back over a decade. It is the gold standard for security research and is available through a commercial API.

DomainTools combines DNS history with WHOIS data and domain risk scoring. Used extensively by enterprise security teams.

Cisco Umbrella Investigate integrates passive DNS with threat intelligence for security operations.

Building Your Own DNS History

If you want to track DNS changes for your own domains or a set of domains you monitor, you can build a lightweight history system:

1. Write a script that queries the DNS records you care about (A, MX, TXT, NS) on a regular schedule.
2. Store the results with timestamps in a database or flat file.
3. Compare each new result with the previous one and alert on changes.

A simple cron job running dig commands and storing results achieves this for a small number of domains. For larger-scale monitoring, tools like DNSControl or OctoDNS can track and version-control DNS configurations.

For real-time verification of your current DNS state, the InboxTooling DNS lookup tool queries live records and presents them in a clear, structured format.

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.