Skip to content

Ask WHOIS who owns a domain and, more often than not, you get “REDACTED FOR PRIVACY.” Ask the domain itself, and it won’t shut up.

A live domain is doing work every second: resolving DNS, presenting a certificate, routing mail, serving a page stitched together from third-party accounts. None of that is redacted, because none of it lives in the registration record. It lives in how the thing is run. That is the shift that matters after GDPR gutted public WHOIS: stop asking who registered a domain and start reading what it does. The doing is where intent leaks.

The signal categories below all outlive redaction. Each one is good for something different, and one of them, the strongest, will occasionally hand you the wrong name.

DNS: what the domain admits about itself

DNS is the domain declaring, in public, how it wants to operate. It is almost never redacted, and it answers your first question for free: is this a real property or a parked shell?

Take two domains at random. dig MX github.com returns github-com.mail.protection.outlook.com — Microsoft 365. dig MX stripe.com returns Google’s aspmx.l.google.com cluster. Nothing links those two companies, and I’m not suggesting anything does. The point is that one field, MX, already told you each one runs real corporate mail on a specific provider, and told you which. A domain with no MX at all tells you something else entirely.

TXT records are where DNS gets loud. Pull them for github.com and you get a wall of verification tokens: docusign=, atlassian-domain-verification=, apple-domain-verification=, facebook-domain-verification=, one for Anthropic, one for Calendly, one for Miro. Each token exists because someone proved to that platform they controlled the domain. Read as a set, they sketch the operator’s tooling: the vendors they pay, the stack they’ve bought into. That is a lot of texture for a record type most people never look at.

The rest of DNS fills in the picture. NS records show who runs the zone, which is how a custom nameserver can quietly tie a whole portfolio together. SPF and DKIM in TXT describe the mail security posture. A records point at hosting, though behind a CDN they show the edge, not the origin, which brings us to the trap everyone falls into.

Hosting and network: where it really lives, and the trap

Behind every domain is an actual machine on an actual network. Resolve github.com and you land on an address in 140.82.121.0/24; run whois on it and the OrgName comes back GitHub, Inc. A company large enough to sit on its own network, which is convenient but rare. Most domains you’ll investigate sit on somebody else’s.

That is exactly where attribution goes wrong. Shared hosting is not shared ownership. A million unrelated sites share the same popular cloud, the same CDN, neighboring IPs in the same block. If you treat “same network” as “same operator,” you’ll cluster half the internet into one imaginary syndicate. Network overlap is context. On its own it is close to worthless, and it’s worthless in a way that feels productive, which is the dangerous kind. It matters only when it corroborates something operator-specific. Which is the next category.

Content and embedded identifiers: the operator’s fingerprints

The page is where a domain stops being infrastructure and starts being a person’s choices.

  • Analytics IDs, tag-manager IDs, and ad-network publisher IDs are account-scoped tokens. They map to a billing account, a person paying an invoice, not a shared box. A match here is close to a fingerprint.
  • Reused templates, favicons, and boilerplate. Operators rebuild what already worked; the seams of that reuse are a tell.
  • HTTP headers and the technology stack describe how the site was built and by whom.

These are the signals that most directly answer “same operator?” and the ones redaction never touches, because they were never in the registry to begin with.

Certificates: identity you’re forced to publish

Every HTTPS domain presents a TLS certificate, and certificates are public by design. The moment a CA issues one, it lands in Certificate Transparency logs. That was built to catch misissuance, but it doubles as a free, append-only ledger of what an operator has stood up.

The subject and SAN list on a certificate name every hostname it covers, so one cert spanning several domains is a direct operational tie. Issuance timing lines up with launches and infrastructure changes. And because CT is retroactive and searchable, it will surface subdomains and staging hosts an operator never meant to advertise. Certificates are one of the highest-value post-WHOIS signals precisely because the transparency is not optional.

History: the fourth dimension

Everything above describes a domain right now. History adds time. Passive DNS shows how resolution moved: hosting migrations, infrastructure shifts, the exact week something changed. Older registration snapshots sometimes preserve a registrant who was public before privacy protection landed on top of them. Ownership timelines hint at when control changed hands. The redacted present is often legible if you look at its past.

No single signal is the answer

The thread through all of it: ownership and intent emerge from fusion, never from one field.

A brand-new registration, no MX, a certificate issued yesterday, on disposable hosting, wearing a template you’ve seen on ten other sites, tells a coherent story. No single one of those fields told it. Flip it: a shared analytics account, plus a custom nameserver both domains point at, plus a common origin network is a real operator link, where any one of those alone is a shrug.

Two habits keep you honest. Combine independent signals, and weight them by how specific they are. An account-scoped identifier someone deliberately configured counts for a lot. Popular infrastructure that half the web also uses counts for almost nothing. Get that weighting backwards and you either miss the real links or invent false ones, and the false ones are the expensive mistake.

Run it yourself

One domain in, the fused signals out. Submit it, poll the job, and read the evidence. Swap YOUR_KEY for a key from your dashboard.

# 1 — submit the domain
curl -X POST https://api.whoisgeni.us/analyze \
  -H "X-API-Key: YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"domain": "stripe.com"}'
# -> { "job_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "status": "queued" }

# 2 — poll the job until status is "completed"
curl https://api.whoisgeni.us/jobs/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "X-API-Key: YOUR_KEY"

The result names the operator and lists every signal behind it, tagged by where it came from: WHOIS, DNS, TLS, HTTP. Redaction on any one field is flagged, not fatal. (Example response, live values vary.)

{
  "status": "completed",
  "domain": "stripe.com",
  "scoring_result": {
    "entities": [
      { "name": "Stripe", "display_name": "Stripe, Inc.", "entity_type": "organization", "confidence": 0.95 }
    ],
    "signals": [
      { "signal_type": "whois", "field": "registrant_org", "raw_value": "Stripe, Inc.", "redacted": false },
      { "signal_type": "tls",   "field": "ssl_subject_org", "raw_value": "Stripe, Inc.", "redacted": false },
      { "signal_type": "dns",   "field": "mx_provider",     "raw_value": "google",       "redacted": false },
      { "signal_type": "http",  "field": "jsonld_org",      "raw_value": "Stripe",        "redacted": false }
    ]
  },
  "missing_signals": []
}

Where the strongest signal lies to you

Now the honest part, because the fingerprint model has a real failure case and it’s worth naming.

The most trusted signals, the account-scoped identifiers, can be copied. A phishing kit that clones a bank’s login page usually clones the whole page, analytics snippet and all. Scrapers lift templates wholesale. A verification token sitting in a public TXT record can be pasted into a lookalike domain by someone who never controlled the original. When that happens, the “fingerprint” you’d have staked a report on points straight at the victim, not the attacker. The clone is wearing the operator’s face.

So a strong identifier match is a strong lead, not a verdict. It has to survive a sanity check: does the rest of the picture agree, or is this the one signal that a copycat could have grabbed for free? Fusion isn’t just for building confidence. It’s how you catch the single signal that’s been forged, by asking whether anything independent backs it up. Usually the forgery is loud everywhere else and quiet exactly where forgery is hard.

From signals to answers

Gathering all of this by hand for one domain is a slow afternoon: resolve past the CDN, pull CT, parse DNS, extract the embedded IDs, walk the history. Doing it across a portfolio, consistently weighted, with an evidence trail you can defend later, isn’t an afternoon. It’s a pipeline.

That’s what WhoisGenius is. It fuses these categories into one confidence-scored result, weights the operator-specific signals above the coincidental ones, watches for the copied-fingerprint case, and hands back the per-signal evidence behind every answer, so you see not just who, but why, and how sure it’s willing to be.

Start free with 75 credits. No credit card.

See who runs a domain

WhoisGenius fuses WHOIS, DNS, certificates, hosting, and content signals into one scored answer — with the evidence behind it.

Start free with 75 credits