WHOIS discovery
The WHOIS discovery is a tool to assist the creation of DNS enumeration discoveries. It takes a domain name registered by an organization and looks up the public WHOIS registry to obtain the name of the legal entity that registered it (the registrant), then searches for domain names registered by the same organization.
To run a WHOIS discovery, go to Discoveries, then click Add. In the Domain names category, click WHOIS. You will be then prompted to input one of the domain names of your organization, like “example.com”.
Once the search is performed, the discovery will list the domain names it found, and will let you select the ones you want to scan with a DNS enumeration discovery. The domain names that already have an associated DNS discovery will have their check box grayed out.
Limitations
The WHOIS discovery relies on administrative information rather than technical data, and thus is not completely reliable. If your organization specified slightly different names when registering two of its domain names, the discovery may likely not detect that both domain names are owned by the same organization. If on the other hand two homonymous organizations registered each their own domain names, the WHOIS discovery could deduce that both domain names are owned by the same organization. Moreover, the reverse WHOIS lookup, that is to say the search of domain names based on their registrant, is not a standard feature of the WHOIS protocol, and is not comprehensive.
Although the case is rare for corporate domain names, it is usual that domain names registered by individuals have their registration information anonymized. In that case, depending on the anonymization process, the discovery may list either no results, or a list of domain names registered by the fictitious identity used for anonymizing.