Home / Industry

Using WHOIS History and Other Intelligence Sources for Establishing Potential Attack Surfaces

Cyber attacks can come from practically any angle, and more often than not, it’s hard to see them coming without knowing all there is to know about a domain’s WHOIS history and connected domain entities. Several aspects come into play in this scenario, one of which is old and forgotten pages on a website.

While many website owners believe these are harmless, that may not be the case, and we’ll show why in this post with the help of WhoisXML API‘s WHOIS history and other tools.

Under cnn[.]com’s Hood

The older a website is, the more content cyber attackers can take advantage of. Why? Simply because over time, it’s only natural for site administrators to come and go and let’s face it, the more pages there are on a website, the more likely several of them don’t get adequately documented. Take a site like cnn[.]com, for instance. It has been online since 1993.

Given its nature, cnn[.]com gets updated multiple times a day or even an hour, especially when there are breaking news stories. With an operation that comprises two dozen branded networks and 1,000 affiliates worldwide, including digital channels, CNN naturally has a massive web infrastructure. Tracking all of its web properties is a huge responsibility, and some pages may fall into the cracks undetected.

We looked at just how big an infrastructure using WHOIS history and subdomains lookup tools and here’s what we found:

WHOIS History and Reverse WHOIS search for cnn[.]com

To date, cnn[.]com has 19 historical records, 4 domain registrants, and undergone 376 domain-related changes.

The domain uses these details in its latest WHOIS record dated 22 August 2020:

  • Registrant organization: Turner Broadcasting System, Inc.
  • Street address: One CNN Center
  • City: Atlanta
  • State: Georgia
  • Postal code: 30303
  • Country: U.S.
  • Email address: tmgroup@turner[.]com
  • Phone Number: 14048275000
  • Fax number: 14048271995

We used the registrant details obtained via Reverse WHOIS Search’s advanced tool to get a list of all domains that share them. That would give us an idea of how significant CNN’s web presence is. We limited our search terms to those that could be clearly identified as owned by the company (i.e., domain name, registrant organization, and email and street addresses) and chose to include all historical records.

We got a list of 777 domains containing all of the search terms we entered. It’s safe to say CNN owns all of these. Note that some of them have misspellings and used a different top-level domain (TLD) such as ccnnews[.]net, ccnn[.]net, and ccnnewsstand[.]com. CNN most likely registered these domains as part of its anti-typosquatting domain strategy.

Subdomains Lookup for cnn[.]com

Now that we have an extensive list of CNN’s existing domains, we can move on to determining how many subdomains or pages it maintains. We ran cnn[.]com, for example, on Subdomains Lookup and ended up with a list of 326 subdomains.

Taking a closer look, the subdomain salute[.]blogs[.]cnn[.]com was last updated on 21 October 2019. Visiting the subdomain would result in an “unknown domain error” by Fastly, a content delivery network that CNN may have used in the past.

Such occurrence can be problematic since according to DNS Lookup, salute[.]blogs[.]cnn[.]com points to hlntv[.]com, CNN’s cable news channel. The domain redirects to https[:]//edition[.]cnn[.]com/specials/videos/hln.

Since it appears that salute[.]blogs[.]cnn[.]com is no longer in use, CNN may be safer if the subdomain is removed, along with other subdomains that are no longer in service.

Global brands have a responsibility to their employees, consumers, and stakeholders. That extends to keeping the personally identifiable information (PII) of its employees and visitors, not to mention its reputation, safe from the repercussions of a cyber attack.

A thorough WHOIS history check combined with a subdomains lookup can help with that, as it gives organizations a starting point to establish its entire digital footprint. Any of its domains and subdomains, if left insufficiently protected, can serve as an entry point for an attacker.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Domain Names

Sponsored byVerisign