How can I find all of the domain names owned by a company? [closed]
What tools or techniques can I use to find all of the domain names owned by a company? A paper or guide would also be beneficial. I don't think there is one solution to this problem, so I'm curious as to your ideas on the topic.
These are more unsorted thoughts than an actual answer, but they may provide some information.
There is no official way for outsiders to find all the domains belonging to an owner, at least not for any of the big TLDs. But I think I saw a country TLD once (a very small country) that allowed searching for owner handles and domains that belonged to that person - this may be the case for a few TLDs. Most however do not allow reverse searching for owners.
There are third-party services that make a living from sifting through the web and building a backward searchable domain database. @plua links to one of them; here is a bunch of others. I know of no free service. I have seen companies that provide these services for the .com/.net/.org TLDs and for .de, not sure whether they exist for every TLD out there.
Many .com registrars offer protected registrations that are not traceable to their real owner at all. British .co.uk addresses can be completely anonymized to the public. Obviously, you will not be able to trace the real owner in these cases. Contrary to that, you have it fairly easy in Germany: The owner info is always publicly on record.
A very interesting method to find domains that belong together is reverse IP lookup, which concentrates on domains on a certain Server/IP rather than domains belonging to somebody. This can reveal the most interesting things like hitherto unrevealed connections between brands where the company was careless enough to host them on the same server or hosting package. This free service shows fairly decent results; I have little experience in the market but there are many paid services as well. The method they employ is the same as the "reverse owner lookup" services - they crawl and use search engine results to find domains that resolve to a certain IP. The quality of the data will vary and is probably higher with the paid services. Note that you can get a lot of false positives when the domain you query is running on a shared hosting package.
The greatest interface to mass query domains from a lot of TLDs is Speednames. The system is brilliant, and mysteriously, completely free.
Robtex is a useful tool when doing research about domain names. It queries publicly available information to get interesting results. For example, there are quite a few domains owned by Apple.
Most TLDs don't connect a specific legal entity with domain registrations, and that makes it impossible to find what you're looking for. However, the .ca
TLD is an exception, and requires registrants to identify themselves as individuals, corporations, or other legal entities. But even then, I don't think this information is freely available.
While recently working with a client, I discovered that they owned twice as many domain names as they had on record. This only became apparent when they received invoices for those domains! If even the registrants don't know what their domains are, how do you expect to find out?
You can try Reverse Whois from Domain Tools. There are other, similar companies that offer similar services. It is as far as I know always a paid service. At least to get a pretty complete picture. In case of Domain Tools, you pay depending on the number of websites that are being found. Up to 9 sites costs you $80, if there are 1000 sites it will cost you $1,000, so I hope you are not looking for all domains of a company that is too active on the internet...