Build a full domain history timeline from free public sources: every SSL certificate ever issued via Certificate Transparency logs, every historical subdomain discovered, first-known date the domain existed, Wayback Machine snapshot counts per year, and a year-by-year activity chart. A free alternative to SecurityTrails and DomainTools for basic passive-DNS research. Great for due diligence before buying a dropped domain.
Every time a website changes its nameserver, A record, or MX record, that change is recorded across the global DNS ecosystem and preserved by passive-DNS collectors, certificate logs, and historical DNS databases. The Sentinel DNS History Checker is a free, no-signup tool that surfaces that history for any domain on the public internet — giving you a dated, chronological timeline of every nameserver, A record, SOA record, and hosting provider the domain has ever used. You can use it to reveal the real hosting provider behind a Cloudflare-fronted site, investigate a suspicious or newly-acquired domain, build an evidence file for a UDRP/trademark dispute, perform bug-bounty reconnaissance, verify an aged-domain purchase, or simply understand how a website's infrastructure has changed over time. The tool pulls from multiple free public sources: whoisfreaks.com's public historical DNS database for dated NS / A / SOA records, crt.sh Certificate Transparency logs for every SSL certificate ever issued, the Internet Archive's Wayback Machine for archived HTTP response headers (which reveal the actual origin hosting stack), and live recursive DNS for the current authoritative state. No API keys, no rate limits, no account required — the entire report is free and public.
If the current live nameservers for this domain end in cloudflare.com or cloudflare.net and the historical record shows at least one non-Cloudflare nameserver in the past, we surface the most-recent non-Cloudflare provider at the top of the report as the probable origin host. We also include the exact NS hostnames, the date they were last observed, and a direct link to the evidence so you can verify the finding yourself.
A fresh lookup of the authoritative NS records right now, tagged with a CF badge on any hostname that ends in cloudflare.com or cloudflare.net. This is the baseline — whatever the rest of the report shows, these are the nameservers currently delegated to the domain at the root zone.
The heart of the report. A newest-to-oldest list of every distinct NS provider this domain has ever used, deduplicated by the registrable parent (so all four "colleen.ns.cloudflare.com / elliot.ns.cloudflare.com" variants collapse into one cloudflare.com row). Each entry shows the date the provider was first observed, the exact NS hostnames, and an evidence link. Read this like a hosting migration log: it tells you in what order the domain changed hosts and — crucially — which host came right before (or right after) Cloudflare.
The actual Server, X-Powered-By, Via, and CF-Ray HTTP response headers the Wayback Machine captured when it crawled the site each year. This is direct evidence of what hosting stack was answering requests at each archived point in time — LiteSpeed means a Namecheap/Hostinger-class shared host, Apache + cPanel fingerprints mean a traditional reseller, nginx + a specific version pattern identifies DigitalOcean droplets or custom VPSes, and a CF-Ray header is definitive proof the domain was behind Cloudflare on that date.
The raw list of every historical DNS record card we read to build the provider timeline. Each row links directly to the source so you can open the original dated record and cite the evidence in a report, a DMCA/UDRP filing, or a security investigation.
The earliest of (first SSL certificate in the CT logs) and (first Wayback Machine snapshot of the site itself). If this date is 2005, the domain has genuinely existed and been actively used since 2005. If it is 2024 on a domain the seller claims is "15 years old", the seller is lying — the domain may have been registered long ago but was almost certainly parked with no real site until recently.
Every SSL certificate ever issued for any subdomain of this domain is logged to public Certificate Transparency. Heavy cert counts mean the domain is actively maintained; one-off certs from years ago mean the site was built once and abandoned. Historical subdomains is the list of every hostname that ever appeared on one of those certificates — even if it no longer resolves — which is invaluable for bug-bounty reconnaissance and orphaned-infrastructure discovery.
The first and last archive.org snapshot dates tell you the lifespan of the active site; clicking the first-snapshot link shows you what the site literally looked like on day one. The year-by-year bar chart combines certs and snapshots so you can see at a glance whether the domain was dormant (no bars) or actively serving a real site (tall bars) in any given year.
Every website on the internet maps its domain name to an underlying server through a chain of DNS (Domain Name System) records. Those records change over time — when the owner switches hosting providers, turns on a CDN, moves to Cloudflare, restructures their mail setup, or simply renews infrastructure. Most DNS-lookup tools only show you the current state, but the history of those changes tells a much richer story. DNS history is how you prove when a domain moved to a new host, when a site was likely taken over by a new owner, when a competitor bought a legacy domain to absorb its backlinks, and — most importantly for reverse-proxy-fronted sites — what the real origin hosting provider is underneath a Cloudflare, Fastly, or Akamai frontend. The Sentinel DNS History Checker collects that timeline from free public sources and presents it in a single dated report.
Cloudflare is the world's most popular reverse proxy and CDN. When a domain switches to Cloudflare, its authoritative nameservers are replaced with something like miguel.ns.cloudflare.com and nia.ns.cloudflare.com, and its public A records resolve to Cloudflare edge IPs in the 104.16.0.0/12 or 172.64.0.0/13 range. The actual origin web server — whether that is Apache on a shared HostGator plan, nginx on a DigitalOcean droplet, LiteSpeed on Namecheap, or a Kubernetes ingress on AWS — is completely hidden from casual DNS lookups. Researchers, security teams, journalists, and competitive analysts have a legitimate need to identify that origin host: for bug-bounty scope validation, for trademark enforcement, for aged-domain evaluation, and for infrastructure research. The Sentinel DNS History Checker solves this by cross-referencing the dated historical NS and A records from public DNS history databases (whoisfreaks.com) against the archived HTTP response headers from the Wayback Machine. If the domain used ns1.wpdns.host on 2025-07-05 and miguel.ns.cloudflare.com on 2025-04-04, the timeline tells you exactly when the domain moved to and from Cloudflare — and the archived Server: LiteSpeed header from 2022 tells you what hosting stack was answering requests before the CDN was ever introduced.
A full DNS history report contains more than just NS records. Here is a reference table of the record types you will see in the timeline and what each one tells you about the domain's infrastructure.
| Record | Purpose | What it reveals in a DNS history |
|---|---|---|
| A | Maps a hostname to an IPv4 address | The actual IP the site was pointing at. A change from 207.246.71.210 (Vultr) to 104.21.32.1 (Cloudflare) is a classic "moved to CDN" signal. |
| AAAA | Maps a hostname to an IPv6 address | Same as A but for IPv6. Often reveals cloud providers (AWS, Google Cloud, Hetzner) that assign IPv6 by default. |
| NS | Authoritative nameservers for the domain | The single most important record for identifying the hosting provider. Nameserver hostnames are usually branded (ns1.hostgator.com, ns1.namecheaphosting.com, ns1.wpdns.host) so the registrable parent of the NS reveals the host. |
| SOA | Start Of Authority — primary nameserver + admin email | The Host field in SOA often matches the current primary NS. The Admin field reveals the hosting provider's contact domain (dnsadm.choopa.com = Vultr, dns.cloudflare.com = Cloudflare). |
| MX | Mail exchange servers | Tells you where the domain's email is routed. Google Workspace (aspmx.l.google.com), Microsoft 365 (-mail.protection.outlook.com), Zoho, ImprovMX, or self-hosted Postfix are all distinguishable from the MX history. |
| TXT | Arbitrary text records | Used for SPF, DKIM, DMARC, domain ownership verification, and site-verification strings. A google-site-verification=... record tells you the domain owner has a Google Search Console account; Facebook, Stripe, and Zoom verification strings work the same way. |
| SPF | Sender Policy Framework (email auth) | Shows which servers are authorized to send mail on behalf of the domain. include:_spf.google.com confirms Google Workspace; include:mailchannels.net confirms a LiteSpeed/cPanel-class shared host; include:amazonses.com confirms AWS SES. |
| CNAME | Canonical name alias | Points one hostname at another hostname. Common on subdomains pointing at SaaS products (shop.example.com → myshopify.com, help.example.com → zendesk.com). A CNAME history reveals which third-party services the domain has integrated over time. |
Modern bug-bounty programs scope their in-scope assets by domain, but most modern targets sit behind Cloudflare. Identifying the origin IP is the single biggest reconnaissance win: once you have a candidate origin, you can check whether the origin server is still reachable directly (bypassing Cloudflare's WAF), whether it exposes admin panels, and whether historical subdomains point at orphaned infrastructure. The Sentinel DNS History Checker gives you the pre-Cloudflare NS provider, the pre-Cloudflare A record IPs (when available), the full historical subdomain list from Certificate Transparency logs, and archived HTTP response headers — a complete free-tier passive reconnaissance workflow.
The used-domain market is flooded with domains that were registered in 1998 but parked for 20 years. A domain's registration date is meaningless on its own — what matters is whether it actually ran a real site, for how long, and what kind of site. Use the DNS history to confirm the seller's claims: a genuine aged domain should show 2–4 hosting-provider migrations over its lifetime, a steady year-by-year activity chart, and a meaningful certificate history. A zero-certificate domain with no NS changes and one parked-page snapshot per year is a dead domain, regardless of how old the registration date is.
When filing a UDRP complaint or a cease-and-desist letter, you need documentary evidence of when the infringing domain was registered, who was hosting it at each point in time, and whether the owner has flipped through multiple hosts to evade takedowns. The dated NS and A-record timeline is exactly the kind of evidence UDRP panellists and trademark lawyers use to establish bad-faith registration patterns. Every row in the Sentinel report links directly to the underlying source so the evidence is reproducible and citable.
Want to know which competitors are running on which infrastructure? Run their domains through the DNS history checker. You will learn whether they moved from shared hosting to a dedicated VPS (a growth signal), whether they switched from cPanel to Kubernetes (a re-platforming signal), whether their MX records moved from Google Workspace to Microsoft 365 (a merger or acquisition signal), and whether they added Cloudflare / Fastly / Akamai (an attack-mitigation or performance-scaling signal). DNS history is one of the cheapest sources of competitor intelligence available.
If you are investigating a phishing kit, a malware C2 domain, or a spam campaign, the DNS history tells you when the malicious infrastructure was stood up, which hosting provider looked the other way, and whether the attacker has reused previous infrastructure. Combined with CT-log subdomain enumeration, you can build a complete picture of the attacker's historical infrastructure without sending a single packet to their live servers.
Everything you see in this report is pulled from free, public, legal data sources. No API key is required. No paid passive-DNS feed. No SecurityTrails subscription. No DomainTools enterprise license. The tool is a front-end over several independently-verifiable public datasets.
Primary source for dated nameserver and A-record changes. Whoisfreaks operates a public historical DNS lookup at whoisfreaks.com/tools/dns/history/lookup/<domain> that serves dated record cards (NS, A, AAAA, SOA, MX, TXT, SPF) directly in the HTML response with no authentication. For any domain that has been indexed, you can see the exact date each record change was observed. This is the single most useful free source of dated DNS history on the public web.
Since 2018, every trusted certificate authority has been required to publish every certificate they issue to a public append-only log. crt.sh is the most popular frontend over those logs. We pull every certificate ever issued for any subdomain of the target, deduplicate by serial number, and produce a dated timeline of certificate activity plus a complete historical subdomain list (every hostname that ever appeared in a Subject Alternative Name). This alone is one of the most powerful OSINT data sources available — orders of magnitude more complete than passive DNS for subdomain enumeration.
We use the Wayback Machine's CDX API to get the total snapshot count, first/last capture dates, and year-by-year crawl activity for the target domain. We also fetch up to 10 archived raw HTTP responses via Wayback's id_ flavor URL, which returns the original response bytes (including the Server, X-Powered-By, Via, and CF-Ray headers) exactly as the origin server returned them. These archived headers are the most direct evidence possible of what hosting stack was answering requests at each point in time.
For the "Current live nameservers" and "Current A records" section, we perform a real-time recursive DNS lookup using Node's built-in DNS resolver. This is the ground truth for the domain's current state and is always fresh at the moment you press the button.
Honest limitations up front. The DNS history is only as deep as the public sources have indexed — domains that launched last week will have a thin history, domains hosted on private DNS (e.g. internal corporate networks) will have none, and domains whose public DNS has been rotated aggressively for obfuscation may have gaps. Passive DNS records come from public resolvers observing queries, so a domain that only ever received traffic from a handful of private resolvers may be under-represented. We cannot tell you the exact origin IP if the domain has been on Cloudflare continuously since its creation — in that case the origin has never been publicly exposed. We cannot identify infrastructure shared between multiple domains (e.g. which websites share a single VPS) from DNS alone; that requires reverse-IP lookups on the historical IPs we surface. Finally, the tool surfaces evidence, not conclusions — a nameserver matching ns1.hostgator.com is strong evidence the domain was on HostGator at that date, but the definitive confirmation would come from a whois on the historical IP range.
A DNS history checker is a tool that looks up the historical DNS records for a domain — NS (nameservers), A (IPv4 addresses), AAAA (IPv6), SOA (authoritative source), MX (mail), TXT, SPF, and CNAME — and presents them as a dated chronological timeline. Instead of just seeing the current state, you see every change: when the domain switched hosts, when it moved to Cloudflare, when its mail provider changed, when its SSL certificates were rotated. The Sentinel DNS History Checker is a free, no-signup version of this that also cross-references Certificate Transparency logs and archived HTTP response headers to give you the most complete free public history available for any domain.
Three ways, in order of reliability. (1) Dated historical NS records from whoisfreaks.com's public historical DNS database. If the domain used ns1.hostgator.com on 2023-04-12 and miguel.ns.cloudflare.com on 2024-11-03, the pre-Cloudflare nameserver is HostGator. (2) Historical A records, also dated. A change from a Vultr IP (207.246.x.x) to a Cloudflare edge IP (104.21.x.x) is a definitive "moved to Cloudflare" signal. (3) Archived HTTP response headers from the Wayback Machine. Before the domain moved to Cloudflare, the archived Server header might show LiteSpeed (shared hosting) or nginx with a specific pattern (DigitalOcean / Hetzner / custom VPS). All three are combined into the "Pre-Cloudflare Detected" banner at the top of the report.
Fully legal. The tool reads only publicly available data: (1) whoisfreaks.com's public historical DNS lookup page, which is openly accessible without authentication, (2) crt.sh Certificate Transparency logs, which every CA is required by industry policy to publish, (3) the Internet Archive's Wayback Machine, which exists specifically so anyone can look up archived public web pages, and (4) live recursive DNS, which is the same mechanism every web browser uses every time it loads a page. No authentication bypass, no vulnerability exploitation, no paid feed, no private data. Academic researchers, journalists, OSINT analysts, and security teams use these same sources every day.
If the domain launched directly on Cloudflare and never had a pre-Cloudflare host, you will see a "Cloudflare detected, no pre-Cloudflare evidence found" warning instead of the origin-reveal banner. We will not invent a fake origin. This is common for brand-new domains whose owner chose Cloudflare from day one, in which case the origin is whatever the Cloudflare customer is pointing their account at and no public DNS record would ever have captured it. In that situation, the most useful signals are the Certificate Transparency subdomains (which may include origin-specific hostnames like origin.example.com or direct.example.com that bypass the CDN) and the archived HTTP headers (which occasionally include Server strings from the origin if Wayback happened to capture a request that missed the Cloudflare cache).
Cloudflare is not a host in the traditional sense — it is a reverse proxy and CDN. The actual web server (Apache, Nginx, Node.js, Python/Django, whatever) runs on some other machine in some other data-center, owned by a real hosting provider (HostGator, SiteGround, DigitalOcean, Hetzner, Vultr, AWS, GCP, etc.) or on the domain owner's own infrastructure. That real host is what people mean by "the origin". The pre-Cloudflare NS record is the single best public hint at who that real host is, because before the domain moved to Cloudflare, the NS records pointed directly at the hosting provider's nameservers.
Yes. The historical A record timeline is part of the report. Each dated entry includes both the NS list and the A-record list from that date, so you can see exactly which IP the domain was pointing at when the nameservers changed. Combined with a reverse DNS lookup or a whois on the historical IP range, you can often confirm which hosting provider owned the server at each point in time.
The pre-Cloudflare NS and A records are exactly what bug-bounty hunters look for when a target is behind a CDN — they identify candidate origin IPs that might still be reachable directly, bypassing Cloudflare's WAF. Combine that with the historical subdomain list from Certificate Transparency (which often includes forgotten dev., staging., old., and origin. subdomains pointing at orphaned infrastructure) and you have a complete free-tier passive reconnaissance workflow. Use it within your authorized scope — we are not liable for misuse, but the tool itself is a standard OSINT resource.
Yes. The dated nameserver timeline with direct evidence links is admissible-quality research material for UDRP complaints, cease-and-desist drafting, trademark infringement reports, and brand-protection filings. You can document exactly when the infringing domain changed hosts, which is often key to showing bad-faith registration patterns or to identifying the responsible party. Every row in the report links to the underlying public source so the evidence is reproducible and citable.
Seven things. (1) The earliest-known date should match what the seller claims. (2) The NS timeline should show a plausible hosting-provider history — a legitimate aged domain usually has 2–4 host migrations, not zero. (3) Large gaps in the year-by-year activity chart mean the domain was parked for those years and has zero SEO value for them. (4) Historical subdomains containing "porn", "pharma", "casino", "replica", "warez", or "free-download" are red flags for a previous spam use that may have triggered a manual action in Google. (5) The first Wayback snapshot should show a legitimate site, not a parked page. (6) SSL certificate count should be proportional to the claimed age — a genuine 15-year-old domain should have dozens of certificates. (7) Run site:thedomain.com in Google — if an "aged" domain has zero indexed pages, it has been deindexed and is worthless for SEO regardless of the other signals.
It depends on which sources captured the domain. Whoisfreaks' historical database typically covers the last 2–5 years for actively-tracked domains, with variable depth depending on crawl frequency. Certificate Transparency logs go back to approximately 2013 for early-adopter CAs and are complete from 2018 onwards (mandatory publication). The Wayback Machine's snapshot history goes back to 1996 for popular sites and varies for long-tail domains. For a well-known domain you can expect meaningful history going back 10+ years. For obscure or newly-registered domains you may see only a handful of entries from the last year.
The historical timeline lists the most recent dated entry from the public DNS history database, which may be several weeks or months old depending on when the database was last updated. The "Current live nameservers" card runs a fresh DNS lookup at the moment you press the button. If they disagree, the live lookup is authoritative for what the domain uses right now, and the timeline shows what it used when the historical database was last updated. A disagreement often means the owner has just migrated — which is itself a useful signal.
Passive DNS is a specific data-collection methodology: DNS resolvers across the internet log the queries they answer, and the aggregated logs are published (either freely or commercially) as a searchable database. DNS history is the broader concept — any dated record of what the DNS looked like at a given time. Passive DNS is one input into a DNS history. Others include certificate logs, zone-file snapshots, historical whois records, and archived DNS-viewer pages. The Sentinel DNS History Checker uses all of these except commercial passive-DNS feeds, which require paid subscriptions to SecurityTrails, Farsight DNSDB, Spamhaus, or VirusTotal Enterprise.
No. Whois history shows who registered the domain — the registrant name, email, address, and registrar — and how those registration details have changed over time. DNS history shows which servers the domain was pointing at — nameservers, A records, mail servers, etc. The two are complementary: whois history tells you who controlled the domain, DNS history tells you where it was hosted. Many investigations need both, but this tool focuses specifically on the DNS side.
Partially. The historical NS and A records from whoisfreaks.com are keyed by registrable domain (example.com), not subdomain, because DNS delegation happens at the registered-domain level. However, the Certificate Transparency log section does surface every historical subdomain that ever had an SSL certificate issued — so while you cannot see when a specific subdomain's A record changed, you can confirm when it first appeared and when certificates were issued for it. For subdomain-level DNS history you would typically need a commercial passive-DNS feed.
Three possible reasons. (1) The domain is too new — if it was registered in the last few weeks, no historical database has indexed it yet. (2) The domain is private or internal — domains that never received public DNS queries will not appear in passive-DNS or certificate logs. (3) The public historical database does not cover that specific domain due to gaps in its crawl coverage. In all three cases, the Historical Hosting Fingerprint section (archived HTTP response headers from the Wayback Machine) is a reliable fallback that covers any domain the Internet Archive has ever crawled.
Yes. The historical DNS database, Certificate Transparency logs, and Wayback Machine are all TLD-agnostic. Coverage may be slightly thinner for obscure ccTLDs compared to .com / .net / .org, but the tool works for every public TLD. Nameserver deduplication correctly handles known multi-label ccTLDs (co.uk, com.au, co.in, co.jp, com.br, co.za, net.au, org.uk) so provider grouping is accurate for those TLDs.
Functionally similar, but those services charge $50–$500+ per month for commercial access to their historical DNS databases. The Sentinel DNS History Checker is completely free, requires no account, has no rate limit for normal interactive use, and combines multiple free public sources (whoisfreaks, crt.sh, Wayback Machine) to achieve roughly equivalent coverage for the most common investigation use cases. For enterprise-scale automated passive-DNS querying, the commercial services are still the right choice. For everyday research, reconnaissance, and investigation, this free tool answers the same questions.
Every lookup triggers a fresh fetch from whoisfreaks.com, crt.sh, the Wayback Machine CDX API, and a live recursive DNS query. We do not store or cache the results on our side — the whole report is generated on demand. This keeps the data current and avoids the staleness problems of tools that re-serve cached reports for days or weeks.
Not currently from within the UI. For now, use your browser's built-in "Save as PDF" or "Print" function on the results page, which will render the report as a standalone document with all the dated entries and evidence links preserved. A JSON / CSV export endpoint is on the roadmap for users who want to pipe the data into spreadsheets or automated workflows.
Hand-picked internal pages and external references from sources Google itself considers authoritative on this topic.