Why this tool exists
Real DNS history — every A / AAAA / CNAME / MX / NS record a domain has ever had, with timestamps — lives behind commercial APIs (SecurityTrails, DNSDB, Farsight) that cost real money. Two free public datasets give a useful approximation:
- Certificate Transparency. Every TLS certificate issued by a public CA (essentially every cert your browser will trust) must be logged to at least two public append-only logs before browsers accept it. The logs are queryable — crt.sh aggregates them — so anyone can see every certificate ever issued for any domain. From that you learn: when the domain first got an HTTPS cert (a lower bound on when it became a real service); which CAs the operator has used; every subdomain that ever appeared in a SAN entry. The original motivation was detecting CA misissuance; the side-effect is the cheapest "historical footprint" tool there is.
- Wayback Machine. The Internet Archive's crawler has been capturing public web pages since 1996. The CDX API returns the first ever capture for a domain — a lower bound on when it was publicly live, regardless of when the registration says it was first registered.
What the timeline tells you
- "When did this become a real service?" The first CT entry plus the first Wayback snapshot bracket the answer. The earlier of the two is a lower bound on real activity.
- "What subdomains did they have?" Every cert lists its SAN names. Aggregating across all certs gives the union of subdomains ever publicly certified — frequently includes staging, internal-tools, mail-MX, and other names not currently in the live DNS.
- "Which CAs have they used?" The issuer field on each cert. A pattern of switching CAs frequently is normal for sites using auto-issuance (Let's Encrypt + a backup); a single long-running EV cert is normal for enterprises.
- "Is this a freshly-spun-up site?" If the first cert was issued this week and Wayback has no snapshots, the domain is very young — exactly the fraud-detection signal that pairs well with the domain age checker.
What this can't tell you
- IP-address history. CT records names, not addresses. The Wayback CDX records the URL that was captured, not the IP it resolved to at that moment. For real DNS history, you need SecurityTrails or similar.
- Activity that never used HTTPS. Pre-2014 sites that ran plain HTTP forever don't show up in CT at all. Wayback partially compensates.
- Private subdomains. A subdomain only used internally and never certified publicly is invisible to CT. Wildcard certs (*.example.com) cover entire trees without revealing the specific labels.
How to read the results
The result table shows every unique certificate ever observed, sorted oldest first. For each one: issuance date, expiry, issuing CA, and the full SAN name list. Below the table you'll see two aggregate views — the union of all subdomains ever observed, and the set of CAs the operator has used. Below those, the earliest Wayback snapshot if one exists, with a direct link into the archive.
Adjacent tools
- Domain age checker — RDAP registration date for the authoritative "when was the domain created."
- What's hosting this site? — current IPs, ASN, and cloud provider serving the domain right now.
- SSL / TLS checker — inspect the certificate currently in use.
- DNS lookup — query any record type live via DoH.