IP History

IP history refers to the record of past IP addresses that have been associated with a specific domain name or hostname over time. This historical data is often collected from DNS records, passive DNS databases, and other network intelligence sources.

---

Purpose & Uses

1. Infrastructure Tracking

   • Identify how a website or service’s hosting has changed over time.

   • Reveal migration between hosting providers or CDNs.

2. Cybersecurity & Threat Intelligence

   • Investigate past malicious activity tied to an IP previously used by a target domain.

   • Detect possible compromises or temporary hijacking.

3. Incident Response

   • Correlate a security event with the hosting history of a domain.

   • Find related domains that used the same historical IPs.

4. OSINT & Digital Forensics

   • Track infrastructure relationships between seemingly unrelated websites.

   • Map threat actor infrastructure over time.

---

How It Works

1. Passive DNS Data Collection

   • Security companies and researchers record DNS resolutions over time.

   • Example: example.com → 203.0.113.25 (Jan 2024), then → 198.51.100.42 (Mar 2024).

2. IP Address Timeline

   • Historical lookups provide a list of IP addresses with associated timeframes.

3. Cross-Referencing

   • Past IPs can be checked for reputation, abuse history, or ownership changes.

---

Cybersecurity Perspective

Why it matters in security:

• Malware hosting rotation: Malicious domains often change IPs frequently to evade detection.

• Shared infrastructure: Multiple phishing domains may share the same past IP.

• Attribution: Threat actors reusing old IP ranges can be linked to past campaigns.

Pentesting & Threat Hunting Tips:

• Use services like RiskIQ PassiveTotal, SecurityTrails, ViewDNS, or DNSDB.

• Compare IP history of multiple domains to find overlaps.

• Watch for sudden shifts to bulletproof hosting or suspicious ISPs.

---

Example