ESC

Research a Domain You Don't Own

Whether you're doing competitive research, assessing a potential acquisition, or investigating a suspicious sender, the DNS Toolkit lets you build a detailed profile of any domain — ownership history, infrastructure, technology, and related assets.

For full parameter and response schema details, see the API reference →

What you can find out

A full domain research workflow covers:

  • Who owns it — WHOIS registrant, registrar, creation and expiry dates
  • How old it is — days since registration (useful for trust scoring)
  • What's running on it — tech stack, frameworks, CDN, analytics
  • What's connected to it — subdomains, associated domains on the same registrant or server
  • Who's behind it — company profile scraped from the homepage

Full research script

# pip install toolkitapi
from toolkitapi import DNS

domain = "example.com"

with DNS(api_key="YOUR_KEY") as dns:
    # 1. Ownership
    whois = dns.whois(domain)
    print(f"Registrar: {whois.registrar}")
    print(f"Created:   {whois.created_date}")
    print(f"Expires:   {whois.expiry_date}")
    print(f"Registrant: {whois.registrant_org or whois.registrant_name or 'redacted'}")

    # 2. Age
    age = dns.domain_age(domain)
    print(f"Domain age: {age.days} days ({age.years:.1f} years)")

    # 3. Tech stack
    tech = dns.tech_stack(domain)
    print("Technologies detected:")
    for item in tech.technologies:
        print(f"  - {item.name} ({item.category})")

    # 4. Company profile
    company = dns.company_profile(domain)
    if company.name:
        print(f"Company: {company.name}")
    if company.description:
        print(f"About: {company.description[:200]}")

    # 5. Associated domains
    associated = dns.associated(domain)
    print(f"Associated domains: {len(associated.domains)}")
    for d in associated.domains[:10]:
        print(f"  - {d}")

    # 6. Subdomains
    subs = dns.subdomains(domain)
    print(f"Discovered subdomains: {len(subs.subdomains)}")
    for sub in subs.subdomains[:10]:
        print(f"  - {sub}")

Step 1 — WHOIS and registration data

WHOIS returns the registrar, registrant (where not redacted), creation date, and expiry date. Useful for establishing who controls a domain and when it was first registered.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.whois("example.com")
    print(f"Registrar:  {result.registrar}")
    print(f"Created:    {result.created_date}")
    print(f"Expires:    {result.expiry_date}")
    print(f"Name servers: {result.name_servers}")
curl "https://dns.toolkitapi.io/v1/whois?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"
const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/whois?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
console.log(`Registrar: ${data.registrar}  Expires: ${data.expiry_date}`);

Note: Since GDPR, many registrars redact personal registrant data. Organisation names are more often visible than individual names. Use domain-age for age-based signals even when registrant info is redacted.

Step 2 — Domain age

Newly registered domains are a common signal in phishing, fraud, and spam analysis. A domain registered two weeks ago claiming to be an established business should raise flags.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.domain_age("example.com")
    print(f"Age: {result.days} days ({result.years:.1f} years)")
    print(f"Registered: {result.created_date}")
curl "https://dns.toolkitapi.io/v1/domain-age?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"
const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/domain-age?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
console.log(`Domain age: ${data.days} days`);

Step 3 — Technology stack

Returns detected frontend frameworks, CMS, CDN, analytics, payment processors, and more. Useful for competitive analysis or understanding what you're dealing with before an integration.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.tech_stack("example.com")
    for tech in result.technologies:
        print(f"{tech.category}: {tech.name}")
curl "https://dns.toolkitapi.io/v1/tech-stack?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"
const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/tech-stack?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
data.technologies.forEach(t => console.log(`${t.category}: ${t.name}`));

Step 4 — Company profile

Scrapes the homepage for structured company information: name, description, social links, and contact details. Most useful on .com domains for established businesses.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.company_profile("example.com")
    print(f"Name:        {result.name}")
    print(f"Description: {result.description}")
    print(f"LinkedIn:    {result.linkedin}")
    print(f"Twitter:     {result.twitter}")
curl "https://dns.toolkitapi.io/v1/company-profile?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"
const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/company-profile?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
console.log(data.name, data.description);

Step 5 — Associated domains

Finds other domains registered by the same entity — same registrant email, name server cluster, or IP block. Useful for mapping the full infrastructure behind a domain or identifying connected brands.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.associated("example.com")
    print(f"Found {len(result.domains)} associated domain(s)")
    for domain in result.domains[:20]:
        print(f"  - {domain}")
curl "https://dns.toolkitapi.io/v1/associated?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"
const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/associated?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
console.log(`${data.domains.length} associated domains`);

Step 6 — Subdomains

Returns discovered subdomains for the target domain. Useful for understanding the scope of an organisation's infrastructure.

from toolkitapi import DNS

with DNS(api_key="YOUR_KEY") as dns:
    result = dns.subdomains("example.com")
    print(f"Found {len(result.subdomains)} subdomain(s)")
    for sub in result.subdomains:
        print(f"  - {sub}")
curl "https://dns.toolkitapi.io/v1/subdomains?domain=example.com" \
  -H "X-API-Key: YOUR_KEY"
const params = new URLSearchParams({ domain: "example.com" });
const r = await fetch(`https://dns.toolkitapi.io/v1/subdomains?${params}`, {
  headers: { "X-API-Key": "YOUR_KEY" },
});
const data = await r.json();
data.subdomains.forEach(s => console.log(s));

See also

Previous
Fix Email Deliverability
Next
Find Domain Names