DomLink: Automating Domain Discovery Through WHOIS Pivoting
Hook
Most domain reconnaissance stops at finding subdomains. But what if your target operates twenty different root domains under slightly different company names? You’d never find them through DNS enumeration alone.
Context
Traditional domain reconnaissance focuses on vertical discovery—finding subdomains beneath a known root domain through DNS brute-forcing, certificate transparency logs, or search engine scraping. But organizations don’t organize their digital infrastructure that way. Acquisitions keep their original domains. Regional offices register local TLDs. Product lines spin up under different brands. These sibling domains share no DNS hierarchy, making them invisible to subdomain enumeration.
The common thread? Registration metadata. Before GDPR and privacy protection services became ubiquitous, WHOIS records revealed who registered a domain—organization names, email addresses, sometimes even physical addresses. Security researchers manually pivoted on this data: look up target.com, extract the registrant email admin@target.com, search WHOIS databases for other domains registered to that same email, repeat. DomLink, created by Vincent Yiu for red team engagements and bug bounty hunting, automates this tedious process into a single command that recursively maps organizational domain portfolios through WHOIS pivoting.
Technical Insight
DomLink implements a breadth-first search algorithm over WHOIS data, using the WHOXY API as its data source. The architecture is deliberately minimal—a single Python script with one external dependency. You provide a seed domain, and DomLink queries WHOIS records to extract two pivot points: the registrant organization name and the registrant email address. It then queries WHOXY’s reverse lookup endpoints to find all other domains associated with those identifiers. Each discovered domain gets added to the processing queue, and the cycle continues until no new domains emerge.
The setup requires only a WHOXY API key placed in a configuration file:
python domLink.py -D target.com -o target.out.txtThis command initiates the recursive discovery process, writing all discovered domains to the specified output file. The tool deduplicates results automatically, so even if multiple paths lead to the same domain (through both email and organization name matches), it appears only once in the output.
The core workflow follows this logic: Start with target.com → WHOIS lookup returns “Acme Corporation” and “admin@acme.com” → Reverse search finds acme-products.com, acme.co.uk, acme-holdings.net → Each of those domains gets WHOIS lookups → New registrant information like “Acme Holdings LLC” gets reverse searched → Process continues until the graph is exhausted.
What makes DomLink effective for its specific use case is what it doesn’t do. There’s no complex correlation engine, no machine learning to fuzzy-match organization names, no integration with a dozen different data sources. It’s a focused implementation of a single reconnaissance technique. This simplicity means the tool runs fast, produces predictable output, and fails in obvious ways when the WHOXY API is unavailable or returns empty results.
The tool maintains state to avoid redundant API calls—once it’s queried an organization name or email address, it won’t query the same identifier again even if encountered through a different path. This optimization matters because WHOXY charges per API call, and reverse WHOIS lookups can return hundreds of domains for common registrant emails (especially at smaller organizations where one IT admin registered everything).
One architectural decision worth noting: DomLink outputs only domain names, not the full relationship graph. You don’t get a map showing which domains share which registrant details. The output is a flat list of domains. For many reconnaissance workflows, this is exactly right—you want a target list to feed into subdomain enumeration or port scanning, not a visualization. But if you’re trying to understand organizational structure or identify acquisition relationships, you’ll need to parse the WHOIS data yourself or use a different tool.
Gotcha
DomLink’s fatal dependency is WHOIS data quality, which has deteriorated significantly since the tool’s creation. GDPR regulations and privacy protection services mean most modern domain registrations hide registrant information behind proxy services like “Domains By Proxy” or “WhoisGuard.” When DomLink encounters a privacy-protected domain, it extracts the proxy service’s information instead of the actual registrant, leading to massive false positive graphs where hundreds of unrelated domains appear connected because they all use the same privacy service.
The tool also inherits all limitations of the WHOXY API. You need paid credits, you’re subject to rate limits, and you’re trusting a third-party service’s data freshness and accuracy. WHOIS records update inconsistently—some registrars push changes immediately, others cache for days. There’s no built-in filtering for common noise like shared hosting providers, domain marketplaces, or registrar parking pages that might share organizational metadata despite having no real relationship to your target. A large corporation that uses the same registrar as thousands of other companies might show false associations if the registrar’s information bleeds into WHOIS records. You’ll need manual triage of results, especially for high-volume outputs.
Verdict
Use DomLink if you’re investigating established organizations that registered domains before privacy protection became standard practice (pre-2015 domains are goldmines), or if you’re targeting regions or industries with poor GDPR compliance where WHOIS data remains exposed. It excels at discovering forgotten acquisition domains and legacy properties that security teams lose track of. Skip it if your target is privacy-conscious with modern domain practices, if you can’t afford WHOXY API credits for potentially large result sets, or if you need real-time accuracy rather than reconnaissance breadth. For contemporary targets, invest time in certificate transparency log analysis and DNS enumeration instead—they’re not blocked by privacy services. DomLink works best as a complementary technique alongside other discovery methods, not as your primary reconnaissance strategy.
