DomLink: Mapping Corporate Attack Surfaces Through Recursive WHOIS Pivoting

Hook

A single forgotten domain registered five years ago under a subsidiary's old email address could be your organization's weakest entry point. DomLink finds those domains automatically.

Context

Security reconnaissance traditionally involves painstaking manual research: querying WHOIS databases, copying registrant emails, searching for other domains with those emails, then repeating the process for each discovery. This becomes exponentially time-consuming when organizations operate through multiple subsidiaries, use various registration emails, or have undergone mergers and acquisitions.

DomLink emerged from the red team community to automate this tedious pivoting process. Created by Vincent Yiu (@vysecurity), it addresses a specific gap in the reconnaissance toolkit: while tools like Amass excel at subdomain enumeration and theHarvester scrapes surface-level data, DomLink focuses exclusively on organizational relationship mapping through WHOIS data. It answers the question "What else does this company own?" by treating WHOIS registrant information as the pivot point rather than the endpoint.

Technical Insight

DomLink implements a breadth-first search algorithm over the WHOIS information space, using registrant details as edges in an implicit graph. The architecture is deliberately minimal—a single Python script that orchestrates API calls to WHOXY without complex dependency chains or database requirements.

The core workflow begins with a seed domain. DomLink queries WHOXY's API for WHOIS data, extracting two critical identifiers: the registrant organization name and registrant email address. These become search pivots for reverse WHOIS lookups, which return all domains registered under those identifiers. Each newly discovered domain enters the queue for processing, and the cycle continues until the search space is exhausted or hit limits.

Here's the essential logic flow:

def discover_domains(seed_domain, api_key):
    discovered = set()
    queue = [seed_domain]
    processed = set()
    
    while queue:
        current_domain = queue.pop(0)
        if current_domain in processed:
            continue
            
        # Forward lookup: domain -> org/email
        whois_data = whoxy_lookup(current_domain, api_key)
        org_name = whois_data.get('registrant_organization')
        email = whois_data.get('registrant_email')
        
        # Reverse lookup: org/email -> domains
        if org_name:
            org_domains = whoxy_reverse_search('company', org_name, api_key)
            for domain in org_domains:
                if domain not in discovered:
                    discovered.add(domain)
                    queue.append(domain)
        
        if email and not is_generic_email(email):
            email_domains = whoxy_reverse_search('email', email, api_key)
            for domain in email_domains:
                if domain not in discovered:
                    discovered.add(domain)
                    queue.append(domain)
        
        processed.add(current_domain)
    
    return discovered

The power lies in this recursive pivoting. A seed domain example.com might be registered to tech@example.com. That email might also have registered example.io, example-dev.com, and examplecorp.net. Each of those domains could be registered under different organizational names or additional emails, creating a web of relationships that manual research would take hours to uncover.

DomLink's dependence on WHOXY is both a design strength and constraint. By outsourcing the heavy lifting of WHOIS data aggregation, maintenance, and parsing to a dedicated API provider, the tool remains lightweight and focused. WHOXY normalizes inconsistent WHOIS formats across different registrars and TLDs—a notoriously painful problem in WHOIS parsing. The trade-off is complete dependency on a third-party service with associated costs and rate limits.

The tool implements basic deduplication to prevent infinite loops (domains already processed are skipped) and provides CSV output for downstream analysis. There's no sophisticated natural language processing for entity resolution, meaning "Example Inc." and "Example Incorporated" would be treated as separate entities despite likely being the same organization. This simplicity keeps the codebase accessible but requires manual post-processing for complex scenarios.

One subtle architectural choice worth noting: DomLink doesn't implement backoff or retry logic for API failures. In production reconnaissance workflows, you'll want to wrap this in error handling and rate limiting logic, especially if you're processing large organizations where a single run might consume hundreds of API credits.

Gotcha

The biggest limitation is WHOIS privacy protection, which has become ubiquitous since GDPR enforcement. Modern domain registrations increasingly mask registrant details behind privacy services like "WhoisGuard" or "Domains by Proxy." When DomLink encounters these, it hits a dead end—the extracted organization name is the privacy service itself, not the actual registrant, leading to thousands of unrelated domains in results.

API costs add up quickly for comprehensive reconnaissance. WHOXY operates on a credit system where each query consumes credits, and a single DomLink run against a moderately-sized organization can easily trigger 50-100 API calls as it recursively discovers domains. You'll need to budget accordingly, and the tool provides no cost estimation before execution. Generic email providers present another challenge: if a domain is registered to admin@gmail.com, reverse searching that email could return thousands of unrelated domains. DomLink includes minimal filtering, so you'll spend time manually separating signal from noise in the results. The tool also hasn't been updated since its initial release in 2017, meaning it doesn't leverage newer OSINT data sources or account for changes in the WHOIS ecosystem.

Verdict

Use if: You're conducting authorized security assessments, penetration tests, or bug bounty reconnaissance where mapping an organization's complete domain portfolio is critical, you have budget for WHOXY API credits, and you're targeting organizations that historically registered domains without privacy protection (often older companies or government entities). DomLink excels at uncovering forgotten assets—that staging server from an acquisition three years ago or the regional subsidiary domain nobody remembered. It's also valuable when you need a lightweight, auditable tool that doesn't require complex infrastructure. Skip if: You're working with privacy-aware organizations where most domains use WHOIS protection, you need a free solution (the WHOXY dependency makes this impossible), you require real-time results (the breadth-first approach can be slow), or you need sophisticated entity resolution for organizations with inconsistent naming patterns. In those cases, invest time in commercial threat intelligence platforms like RiskIQ or build custom pipelines using multiple free data sources with manual verification steps.