Skip to content
Lesson 4 of 8

Domain and Infrastructure OSINT

4 min read

WHOIS and Domain Records

Infrastructure OSINT almost always begins with the domain. A WHOIS query reveals registration information: the registrar, creation and expiration dates, name servers, and in some cases the registrant's contact details. Although many records are now protected by privacy services (WHOIS privacy), the residual information remains valuable: the registration date can place the origin of an infrastructure, and the name servers can link several domains to the same owner.

A useful technique is historical WHOIS, offered by services like WhoisXML or SecurityTrails, which preserves old versions of the records. Often a domain that hides its contact details today had them exposed in the past, before enabling privacy protection. Comparing historical records lets you correlate seemingly independent domains that share the same email or the same original registrant.

All of this information is public by design of the domain name system. Querying it is perfectly legal and constitutes the basis of any infrastructure reconnaissance, whether in an authorized pentest or in an audit of one's own exposure.

DNS Enumeration

The DNS system holds a map of a domain's infrastructure that can be queried legally. A and AAAA records point to IP addresses; MX records reveal mail servers; TXT records often contain SPF, DKIM, and DMARC configurations, and sometimes third-party service verifications that betray which platforms the organization uses; NS records indicate the name servers.

Tools like dig, nslookup, dnsx, or dnsrecon let you query these records systematically. A classic target is attempting a zone transfer (AXFR): if a DNS server is misconfigured and allows it, it returns the complete list of the zone's records, exposing the entire internal structure. Finding this in an audit is an important result, because it represents an information leak that must be fixed.

TXT and MX records deserve special attention for their revealing value. An SPF record authorizing "include:_spf.google.com" indicates Google Workspace usage; one mentioning an email marketing provider reveals that business relationship. Each piece helps reconstruct the target's technology stack.

Subdomains and Certificates

Subdomain discovery is one of the most productive techniques in infrastructure OSINT, because it expands the known surface. There are two approaches. The passive one queries sources that have already collected subdomains — passive DNS databases, engines like Amass or subfinder — without directly touching the target's infrastructure. The active one tests names via dictionary brute force, which generates traffic toward the target and should only be done with authorization.

Certificate Transparency logs are an excellent and entirely passive source. Every time a TLS certificate is issued, it is recorded in public logs. Querying crt.sh returns all certificates issued for a domain, which often reveals subdomains that appear nowhere else — development environments, internal panels, forgotten services. It is one of the first queries every investigator should run.

Each discovered subdomain expands the infrastructure map and may represent a point of exposure. In a defensive audit, this enumeration often reveals forgotten assets (shadow IT) that the organization itself did not know were exposed, which makes it an exercise of enormous preventive value.

Shodan and Infrastructure Search

Shodan is a search engine that indexes devices and services connected to the internet rather than web pages. It lets you query which ports and services an IP or range has exposed, what software and versions they run, and what banners they return. For infrastructure OSINT it is invaluable: from a domain you can find all associated IPs and, with Shodan, learn their service surface without sending a single packet directly to the target, since Shodan already performed that scan.

Censys and FOFA offer similar capabilities with different approaches. These engines allow searches by organization, certificate, technology, or country, and are especially useful for identifying all of an entity's assets scattered across different cloud providers. Filters like "org:", "ssl.cert.subject", or "http.title" allow very precise queries.

It is important to stress that these engines only show information that services expose publicly; querying them is legal. However, attempting to connect to, authenticate against, or exploit the services found is no longer OSINT, but an action that requires explicit authorization. The ethical investigator uses Shodan to map and understand exposure, not to access systems without permission.