Daily Threat Feeds user guide

Note

View the updated Threat Feeds documentation.

Introduction

You can access DomainTools daily threat feeds through the Download API. The table below describes each feed and provides a link to more information.

DomainTools offers the same feeds in real-time format. See the real-time threat feeds guide for more information.

As an alternative to the Download API, DomainTools can deliver feed data directly to your Amazon S3 bucket. For information about S3 delivery, see the S3 delivery section in the real-time threat feeds user guide.

The threat feeds often include risk scoring. See the domain risk score user guide for more information.

Feed endpoints

See the feed paths, response structures, and inclusion criteria below for additional details.

5-Min Domain WHOIS

GET Endpoint: 5_min_domain_whois, 5_min_domain_whois_parsed

The most recently registered or changed domains, processed on a 5-minute basis. Available as raw and parsed records.

5-Min IP WHOIS

GET Endpoint: 5_min_ip_whois, 5_min_ip_whois_parsed

The most recently updated IPv4 WHOIS records, processed on a 5-minute basis. Available as raw and parsed records.

Daily Domain Discovery

GET Endpoint: daily_domain_discovery

Daily feed of newly registered and newly observed domains.

Daily Domain Hotlist (AKA 'Threat Profile Proximity')

GET Endpoint: daily_domain_hotlist

Daily feed of high-risk domains that are observed to be active within a 24 hour time window. Requires: proximity score of 70+; Threat Profile score of 90+; pDNS activity within 24 hours.

Daily Domain Risk Feed

GET Endpoint: daily_domain_risk

Daily feed of high risk domains, regardless of observed traffic. Requires: Combined Risk score of 70+.

Daily IP Hotlist

GET Endpoint: daily_ip_hotlist

Daily feed of high-risk IP addresses hosting hostile domains that are observed to be active within a 24 hour time window, with risk scores and other enrichment data. Requires: More than 50% of domains on the IP have proximity score of 70+ or Threat Profile score of 90+; pDNS activity on malicious domains within 24 hours.

Daily Hosting IP Risk

GET Endpoint: daily_ip_risk

Daily feed of all IP addresses known to be hosting domains, with risk scores and other enrichment data. Requires: IP is actively hosting one or more domains (regardless of risk level).

Iris On-Prem

GET Endpoint: on_premise_v3

Iris Investigate On-Premise. Contact your DomainTools representative for more information.

Requirements

Accessing the threat feeds included in this document requires the following:

• An Enterprise Account with DomainTools, which is accessible at https://account.domaintools.com/my-account/.
• Authentication credentials for HMAC (preferred, more secure) or an API username and key. HMAC code examples are provided in the Appendix.
• A way to interact with a REST API delivered through AWS CloudFront.

Please contact enterprisesupport@domaintools.com for assistance.

Authentication

Hash-based message authentication code (HMAC)

HMAC authentication is a secure alternative to API key-based methods. It requires signing each request with a SHA1 HMAC digest derived from your API secret, providing integrity and authenticity without exposing credentials directly in the request.

This method is recommended for systems where authentication credentials should not be stored in plain text or included directly in request URLs.

DomainTools supports MD5, SHA1, and SHA256 for the hashing algorithm.

Required HMAC parameters

api_username

Type: string (required)

YOUR_API_USERNAME

signature

Type: string (required)

HMAC-SHA1 signature of api_username, timestamp, and request path

timestamp

Type: string (required)

ISO 8601 formatted UTC time (e.g., 2025-06-01T15:30:00Z)

Constructing the HMAC signature

Compute the HMAC signature as follows:

signature = HMAC_SHA1(api_key, api_username + timestamp + uri_path)

• api_key: Your secret API key.
• api_username: Your DomainTools API username.
• timestamp: UTC timestamp in ISO 8601 format.
• uri_path: The request URI path, e.g., /v1/feed/nod/.

API key (header) authentication

Authenticate your requests by including the API key in the header of each HTTP request. The API key serves as a unique identifier and authenticates your requests.

Required API key authentication parameter

X-Api-Key

Type: string (required)

YOUR_API_KEY

Example request with API key authentication

curl -H 'X-Api-Key: YOUR_API_KEY' 'https://api.domaintools.com/v1/download/nod/'

Open key authentication

This is the easiest authentication scheme to implement, but also the least secure. Refer to the hash-based message authentication code (HMAC) section of this document to configure the more secure authentication method, or contact enterprisesupport@domaintools.com for help.

Open key parameters

api_username

Type: string (required)

Your API username

api_key

Type: string (required)

Your API key

Endpoints and parameters

Base URL

api.domaintools.com/v1/download/{feed}/

See the feed paths, response structures, and inclusion criteria below for additional details.

Feed path parameters

5_min_domain_whois, 5_min_domain_whois_parsed

5-Min Domain WHOIS

5_min_ip_whois, 5_min_ip_whois_parsed

5-Min IP WHOIS

daily_domain_discovery

Daily Domain Discovery

daily_domain_hotlist

Daily Domain Hotlist

daily_domain_risk

Daily Domain Risk Feed

daily_ip_hotlist

Daily IP Hotlist

daily_ip_risk

Daily Hosting IP Risk

on_premise_v3, on_premise_v3_full

Iris On-Prem

Common query parameters

api_key

Type: string (required for key auth)

API key provided by DomainTools, dashes included

api_username

Type: string (required)

API username provided by DomainTools

app_name

Type: string (optional)

Name of your appliance, playbook, module, etc., or in combination. Useful to help with debugging

app_partner

Type: string (optional)

Your product name. Useful to help debugging

app_version

Type: string (optional)

Your version number. Useful to help with debugging

limit

Type: integer (optional)

Limit the list of signed files. Ordering of files is always descending, so the latest files are first. Large reports like 5_min_parsed_whois can have over 2k files (5 min files for 7 days). By using the limit parameter, clients can limit the lookup to an arbitrary number (integer) of files. Use with prefix and limit (see note below)

page

Type: integer (optional)

Select which page of results are returned. Pages begin at 0 with latest results. Use with limit and prefix (see note below)

prefix

Type: string (optional)

Filter results by date using the file prefix. Use with page and limit to control results (see note below)

signature

Type: string (required for HMAC auth)

HMAC hash of your request, using the MD5, SHA1, or SHA256 hashing algorithm

timestamp

Type: string (required for HMAC auth)

Current timestamp for HMAC authentication, in ISO 8601 format. (e.g. 2025-01-10T15:44:39.118Z)

Using page, prefix, and limit to Control Results

Use prefix to filter returned files by their date, using the filename prefix. For higher volume feeds, this will permit calling results from 7 days in the past. Filename prefixes vary by feed. For example:

• on_premise_v3 begins with DATA_YYYYMMDD, and can be filtered by day with ?prefix=DATA_20250623
• and 5_min_domain_whois begins with YYYYMMDDHHMM, and could be filtered by date and hour with ?prefix=2025062420.

Use limit to set the number of files in each response; this also works after the prefix has limited the data return. Most recent results are returned first.

Use page to set which page of results is returned. Results begin at 0, and the server returns a HTTP 404 (No data to download.) message when the page request is greater than the last page of the results.

Here is an API call (for use with header authentication) that uses all three parameters. It filters for results from 24 June 2025, sets the number of files per page to 10, and requests the fourth page of results (as results begin at page 0):

https://api.domaintools.com/v1/download/5_min_domain_whois/?prefix=20250624&limit=10&page=3

Information about the filename prefixes for each feed is specified with other feed information below.

Common response parameters

download_name

Type: string

The feed path of the download.

Example: 5_min_domain_whois 5_min_domain_whois_parsed 5_min_ip_whois 5_min_ip_whois_parsed daily_domain_discovery daily_domain_hotlist daily_domain_risk daily_ip_hotlist daily_ip_risk

etag

Type: string

Entity tag (a hash of the download file).

Example: \"581f447bd45bee5ef695if63aa37f256\"

last_modified

Type: string

Last modified date of the file in ISO 8601 format.

Example: 2024-07-05T17:27:18+00:00

name

Type: string

A feed directory containing a feed file

Example: domain_discovery/NEW_DOMAINS_20240704.csv.gz

size

Type: string

Size in kilobytes (KB) of the download file

url

Type: string

Signed AWS CloudFront download URL

Query example

api.domaintools.com/v1/download/daily_ip_risk/?api_username=YOUR_API_USERNAME&api_key=YOUR_API_KEY

Response example

In response, api.domaintools.com returns a download payload with either a single signed CloudFront URL or an array of signed CloudFront URLs. URLs are valid for 12 hours and can be regenerated. For example:

{
    "response": {
        "download_name": "daily_ip_risk",
        "files": [
            {
                "name": "daily_ip_risk/ip_fulllist.gz",
                "last_modified": "2024-11-12T21:32:43+00:00",
                "etag": "\"ETAG\"",
                "size": "197407887",
                "url": "https://d2mzrdiuqyylox.cloudfront.net/daily_ip_risk/ip_fulllist.gz?Expires=1731562356&SIG&Key-Pair-Id=KEYPAIRID"
            }
        ]
    }
}

Feed paths, response structures, and inclusion criteria

Daily domain hotlist

The Daily Domain Hotlist is also available in RPZ format. See the RPZ documentation for more information.

Description

Daily feed of high-risk domains that are observed to be active within a 24 hour time window.

The Daily Domain Hotlist is available in multiple variants, each filtered by different Domain Risk Score thresholds. All variants require passive DNS activity within 24 hours.

Inclusion threshold

Varies by variant. See Daily domain hotlist files section below.

Format

Tab-separated text file (gzipped); one domain per line with component risk scores.

Example line:

example.com 75  85  88  99

Fields are: Domain Name, Phishing, Malware, Spam, Proximity (tab-separated).

Size

~900,000 domains, ~3.5MB compressed.

Daily domain hotlist endpoint

api.domaintools.com/v1/download/daily_domain_hotlist/

See common query parameters for more details about how to construct your request.

Daily domain hotlist file contents

Each line in the file contains the following tab-separated fields:

• Domain Name: The apex-level domain
• Phishing: Machine learning classifier prediction for phishing (0-100)
• Malware: Machine learning classifier prediction for malware (0-100)
• Spam: Machine learning classifier prediction for spam (0-100)
• Proximity: Indicates shared registration or infrastructure with known-bad domains (0-100)

For detailed information about these risk scores, see the Domain Risk Score user guide.

Daily domain hotlist files

The Daily Domain Hotlist is available in five variants, filtered by Domain Risk Score thresholds:

• 90s.domainhotlist.gz: Domains with Proximity ≥ 70 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)
• 95s.domainhotlist.gz: Domains with Proximity ≥ 85 OR (Malware Risk ≥ 95 AND Phishing Risk ≥ 95)
• 99s.domainhotlist.gz: Domains with Proximity ≥ 85 OR (Malware Risk ≥ 99 AND Phishing Risk ≥ 99)
• 1k.domainhotlist.gz: Top 1,000 highest-risk domains with Proximity ≥ 75 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)
• 100k.domainhotlist.gz: Top 100,000 highest-risk domains with Proximity ≥ 75 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)

Daily domain risk feed

Description

Daily feed of high risk domains, regardless of observed traffic.

Inclusion threshold

Combined Risk score of 70+.

Format

Tab separated text files (gzipped); one domain per line with component risk scores.

Size

~30 million domains, ~400MB compressed.

Daily domain risk feed endpoint

api.domaintools.com/v1/download/daily_domain_risk/

See common query parameters for more details about how to construct your request.

Daily domain risk feed response fields

Domain Name

Pinpoint spoof or otherwise suspicious domain names

Phishing

Machine learning classifier prediction for phishing

Malware

Machine learning classifier prediction for malware

Spam

Machine learning classifier prediction for spam

Proximity

Indicates shared registration or infrastructure with known-bad domains

Overall

Equals highest of the component scores, the "combined" score

Daily domain risk feed files

domain_risk_feed/threat_profile_proximity.gz

Daily domain discovery

Description

Daily feed of newly registered and newly observed domains.

Inclusion threshold

Newly observed or registered.

Format

gzip-compressed csv file; one domain name per line.

Size

~375,000 domains, ~2.5MB compressed.

Daily domain discovery endpoint

api.domaintools.com/v1/download/daily_domain_discovery/

See common query parameters for more details about how to construct your request.

Daily domain discovery response fields

One domain name per line.

Daily domain discovery files

NEW_DOMAINS_YYYYMMDD

Daily IP hotlist

Description

Daily feed of high-risk IP addresses hosting hostile domains that are observed to be active within a 24 hour time window, with risk scores and other enrichment data.

Inclusion threshold

More than 50% of domains on the IP have proximity score of 70+ or Threat Profile score of 90+; pDNS activity on malicious domains within 24 hours.

Format

zip-compressed tab separated text file; one IPv4 per line with percentages of phishing, malware, and spam metrics for domains hosted in the IP.

Size

40-50,000 IP addresses, ~1MB compressed.

Daily IP hotlist endpoint

api.domaintools.com/v1/download/daily_ip_hotlist/

See common query parameters for more details about how to construct your request.

Daily IP hotlist response fields

Field Name	Field Description
ip	IP that has www/apex domains pointing to it
pdns_resolutions	how many domains seen on the IP in the last 24 hours
bad_pdns_resolutions	how many confirmed bad domains seen on the IP in the last 24 hours (used to create hotlist with filter)
total_domains	total number of domains see on this IP in the last 7 days
third_party_threats	number of domains on IP that are confirmed with any threat on a 3rd party intel feed
allthreats_combined_percent	percentage of domains that are confirmed or predicted malicious
combined_phishing_percent	percentage of domains confirmed or predicted as phishing
combined_malware_percent	percentage of domains confirmed or predicted as malware
combined_spam_percent	percentage of domains confirmed or predicted as spam
asn	the IP's ASN (i.e. routing provider)
organization	organization associated with IP range based on Geo Data Partner
city	city based on IP Geo Data Partner
region	region based on IP Geo Data Partner
country	country based on IP Geo Data Partner
latitude	Coordinates
longitude	Coordinates
allthreats_combined_count	number of confirmed or predicted domains on 3rd party intel feed or threat profile
malicious_phishing	number of malicious phishing domains on 3rd party intel feeds
malicious_malware	number of malicious malware domains on 3rd party intel feeds
malicious_spam	number of malicious spam domains on 3rd party intel feeds
compromised_phishing	number of compromised phishing domains on 3rd party intel feeds
compromised_malware	number of compromised malware domains on 3rd party intel feeds
compromised_spam	number of compromised spam domains on 3rd party intel feeds
predicted_phishing	number of domains (with no confirmed threat) that we predict as phishing
predicted_malware	number of domains (with no confirmed threat) that we predict as malware
predicted_spam	number of domains (with no confirmed threat) that we predict as spam
allthreats_percent	Percentage of domains including all threat types
percent_phishing	percentage of domains that are confirmed phishing
percent_malware	percentage of domains that are confirmed malware
percent_spam	percentage of domains that are confirmed spam
zerolist_domains	number of zero listed domains seen on this IP
zerolist_ip	indicates if this IP is zero listed (e.g. CDN)

Daily IP hotlist files

ip_hotlist.gz

Daily hosting IP risk feed

Description	Inclusion Threshold	Format	Size
Daily feed of all IP addresses known to be hosting domains, with risk scores and other enrichment data.	IP is actively hosting one or more domains (regardless of risk level).	gzip-compressed tab separated text file; one IPv4 per line with additional fields (consult full entry).	15-20 million IP addresses, ~200MB compressed.

Daily hosting IP risk feed endpoint

api.domaintools.com/v1/download/daily_ip_risk/

See common query parameters for more details about how to construct your request.

Daily hosting IP risk feed response fields

Field Name	Field Description
ip	IP that has www/apex domains pointing to it
pdns_resolutions	how many domains seen on the IP in the last 24 hours
bad_pdns_resolutions	how many confirmed bad domains seen on the IP in the last 24 hours (used to create hotlist with filter)
total_domains	total number of domains see on this IP in the last 7 days
third_party_threats	number of domains on IP that are confirmed with any threat on a 3rd party intel feed
allthreats_combined_percent	percentage of domains that are confirmed or predicted malicious
combined__phishing_percent	percentage of domains confirmed or predicted as phishing
combined_malware_percent	percentage of domains confirmed or predicted as malware
combined_spam_percent	percentage of domains confirmed or predicted as spam
asn	the IP's ASN (i.e. routing provider)
organization	organization associated with IP range based on Geo Data Partner
city	city based on IP Geo Data Partner
region	region based on IP Geo Data Partner
country	country based on IP Geo Data Partner
latitude	Coordinates
longitude	Coordinates
allthreats_combined_count	number of confirmed or predicted domains on 3rd party intel feed or threat profile
malicious_phishing	number of malicious phishing domains on 3rd party intel feeds
malicious_malware	number of malicious malware domains on 3rd party intel feeds
malicious_spam	number of malicious spam domains on 3rd party intel feeds
compromised_phishing	number of compromised phishing domains on 3rd party intel feeds
compromised_malware	number of compromised malware domains on 3rd party intel feeds
compromised_spam	number of compromised spam domains on 3rd party intel feeds
predicted_phishing	number of domains (with no confirmed threat) that we predict as phishing
predicted_malware	number of domains (with no confirmed threat) that we predict as malware
predicted_spam	number of domains (with no confirmed threat) that we predict as spam
allthreats_percent	Percentage of domains including all threat types
percent_phishing	percentage of domains that are confirmed phishing
percent_malware	percentage of domains that are confirmed malware
percent_spam	percentage of domains that are confirmed spam
zerolist_domains	number of zero listed domains seen on this IP
zerolist_ip	indicates if this IP is zero listed (e.g. CDN)

Daily hosting IP risk feed files

ip_fulllist.gz

Daily 5-minute domain WHOIS feed

Description	Inclusion Threshold	Format	Size
The most recently updated domain WHOIS records, processed on a 5-minute basis.	All domain names processed since the previous update.	gzip-compressed tab separated or JSON text file.	Up to 10MB per day

Daily 5-minute domain WHOIS feed endpoint

api.domaintools.com/v1/download/5_min_domain_whois/
api.domaintools.com/v1/download/5_min_domain_whois_parsed/

See common query parameters for more details about how to construct your request.

Daily 5-minute domain WHOIS feed response fields

Domain WHOIS Response Fields
Domain name
Parse success (y/n)
Server (WHOIS)
Lookup Date
Lookup Time
Create Date
Updated Date
Expires Date
Registrar Name
Registrar Abuse Contact: Phone
Registrar Abuse Contact: Email
Registrar IANA ID
Registrar URL
Registrar WHOIS Server
Admin Name
Admin Org
Admin Street
Admin City
Admin State/Province
Admin Postal Code
Admin Country
Admin Phone
Admin Fax
Admin Email
Billing Name
Billing Org
Billing Street
Billing City
Billing State/Province
Billing Postal Code
Billing Country
Billing Phone
Billing Fax
Billing Email
Registrant Name
Registrant Org
Registrant Street
Registrant City
Registrant State/Province
Registrant Postal Code
Registrant Country
Registrant Phone
Registrant Fax
Registrant Email
Technical Name
Technical Org
Technical Street
Technical City
Technical State/Province
Technical Postal Code
Technical Country
Technical Phone
Technical Fax
Technical Email
Name Server
Registrar Status
Raw WHOIS Data Blob

Daily 5-minute domain WHOIS feed files

YYYYMMDDTTTT.json.gz \= the parsed feed file YYYYMMDDTTTT.gz \= the raw/unparsed feed file

Daily 5-minute IP WHOIS feed

Description	Inclusion Threshold	Format	Size
The most recently updated WHOIS records are processed on a 5-minute basis.	All IP addresses processed since the previous update.	gzip-compressed tab separated or JSON text file.	Up to 10MB per day

Daily 5-minute IP WHOIS feed endpoint

api.domaintools.com/v1/download/5_min_ip_whois/
api.domaintools.com/v1/download/5_min_ip_whois_parsed/

See common query parameters for more details about how to construct your request.

Daily 5-minute IP WHOIS feed response fields

IP WHOIS Response Fields
RIR queried
Net Range
CIDR
Net Name
Net Handle
Parent
Net Type
Origin AS
Organization
RegDate
Updated
Org Name
Org ID
City
State
Postal Code
Country
RegDate
Updated
Ref
Referral Server
OrgAbuseHandle
OrgAbuseName
OrgAbusePhone
OrgAbuseEmail
OrgAbuseRef
OrgTechHandle
OrgTechName
OrgTechPhone
OrgTechEmail
OrgTechRef
OrgNOCHandle
OrgNOCName
OrgNOCPhone
OrgNOCEmail
OrgNOCRef
Comments
Raw IP WHOIS data blob

Daily 5-minute IP WHOIS feed files

YYYYMMDDTTTT.json.gz \= the parsed feed file YYYYMMDDTTTT.gz \= the raw/unparsed feed file

Troubleshooting

Verify downloaded files

When you download a file, verify that the download is complete and matches the expected file. The API response includes size and content_hash values that you can use for verification.

The size value represents the file size in bytes, and the content_hash value contains an MD5 hash of the file. Compare these values with your downloaded file to confirm the integrity of your download.

Verify file size and checksum

1. Make an API request to get the file information:

   curl -H 'X-Api-Key: YOUR_API_KEY' \
     'https://api.domaintools.com/v1/download/daily_domain_hotlist/'
   

2. Review the response to identify the size and content_hash values for the file you want to download:

   {
     "response": {
       "download_name": "daily_domain_hotlist",
       "files": [
         {
           "name": "daily_domain_hotlist/99s.domainhotlist.gz",
           "last_modified": "2025-10-28T20:03:01+00:00",
           "etag": "\"2146e25fdacda7c419993eae24744169\"",
           "size": "31709870",
           "url": "SIGNED_URL",
           "content_hash": "2146e25fdacda7c419993eae24744169"
         }
       ]
     }
   }
   

3. Download the file using the signed URL:

   curl -o "20251028-domain_hotlist-99s.gz" "SIGNED_URL"
   

4. Check the file size in bytes:

   ls -la 20251028-domain_hotlist-99s.gz
   

   The output shows the file size in bytes. For example:

   -rw-r--r--  1 username  usergroup  31709870 Oct 29 16:19 20251028-domain_hotlist-99s.gz
   

   Verify that this size matches the size value from the API response (31709870).

5. Calculate the MD5 checksum of the downloaded file:

   md5sum 20251028-domain_hotlist-99s.gz
   

   Or on macOS:

   md5 20251028-domain_hotlist-99s.gz
   

   The output shows the MD5 hash. For example:

   2146e25fdacda7c419993eae24744169  20251028-domain_hotlist-99s.gz
   

   Verify that this hash matches the content_hash value from the API response (without the surrounding quotes).

6. If both the file size and MD5 checksum match, your download is complete and correct.

What to do if verification fails

If the file size or MD5 checksum don't match the expected values:

1. Try downloading the file again. Temporary network issues might have interrupted the download.
2. Verify that you're using the correct signed URL from the API response.
3. If the issue persists, contact Enterprise Support and include the following information:
   • The feed name and file name
   • The signed URL used
   • The API response showing the expected size and content_hash values
   • The actual file size and MD5 checksum you calculated
   • The date and time of the download attempt

Last modified: Oct 21, 2025