Threat Feeds¶

Proactive cybersecurity through curated lists of malicious and suspicious infrastructure indicators.

Threat Feeds deliver real-time intelligence directly to your security tools, enabling you to block threats before they cause harm. Instead of waiting to react to an attack, you can integrate this data into systems like firewalls, proxies, and SIEMs to automatically defend against threats that leverage new or high-risk domains.

Common capabilities¶

Real-time data delivery: Access the latest threat intelligence within minutes of observation, crucial for stopping attacks leveraging ephemeral (short-lived) domains.
Configurable polling frequency: Tailor data retrieval to your operational needs, with updates available as frequently as every 1 minute.
Comprehensive historical data: Retrieve up to 90 days of historical feed data via the Download API to ensure no data is missed.
Diverse threat intelligence feeds: Access a variety of specialized feeds, including those for newly observed domains, high-risk domains, and domain registration changes, to match specific threat intelligence needs.
Reliable data continuity: Ensure seamless data ingestion with mechanisms to prevent data loss or duplication, allowing for continuous and uninterrupted threat monitoring.
Granular filtering: Efficiently narrow down threat data using domain pattern filtering, reducing the need for extensive downstream processing.

Getting started¶

Quick start with Python

Our Python SDK provides native support for this API. Install with pip install domaintools_api --upgrade

Quick Start: Your First Request¶

Get started with threat feeds in under 5 minutes by following these steps.

1. Get your API key¶

Your API key is available in your DomainTools account dashboard. For this tutorial, we'll use header authentication (recommended).

2. Choose a feed¶

Start with the Newly Observed Domains (NOD) feed - it's ideal for general threat detection and has moderate volume.

3. Make your first request¶

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/nod/?sessionID=myFirstSession'

This returns the last hour of newly observed domains.

4. Understand the response¶

You'll receive JSON data (NDJSON format) with entries like:

{"timestamp":"2025-01-06T15:30:42Z","domain":"example-new-domain.com"}
{"timestamp":"2025-01-06T15:30:45Z","domain":"another-domain.net"}

Each line contains:

timestamp: When the domain was first observed
domain: The apex-level domain name

5. Set up continuous polling¶

Call the same endpoint again with the same sessionID:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/nod/?sessionID=myFirstSession'

This returns only domains observed since your last request - no duplicates.

6. Handle the response in your application¶

Python example:

import requests
import json
import time

api_key = "YOUR_API_KEY"
url = "https://api.domaintools.com/v1/feed/nod/"
headers = {"X-Api-Key": api_key}
params = {"sessionID": "myFirstSession"}

while True:
    response = requests.get(url, headers=headers, params=params)

    for line in response.text.strip().split('\n'):
        if line:
            domain_data = json.loads(line)
            print(f"New domain: {domain_data['domain']}")

    time.sleep(60)  # Poll every minute

Next steps¶

Filter domains: Add ?domain=*.io to monitor specific TLDs
Try other feeds: Explore NAD, NOH, Domain Hotlist, and Domain Risk
Download historical data: Use the Download API for backfill
Integrate with DNS firewalls: Configure RPZ for NOD and NAD

View detailed NOD documentation

Access methods¶

Each feed supports different access methods:

Real-time Feed API: Stream current data with configurable polling (as often as every 60 seconds)
Real-time Download: Historical archives organized by hour, available for 90 days
Daily Download: Daily batch files for archival and bulk processing
RPZ: Response Policy Zone format for direct DNS firewall integration (select feeds)

All feeds support flexible authentication methods and provide comprehensive filtering options to match your specific security requirements.

Feed	Real-time Feed	Real-time Download	Daily Download	RPZ

Predictive Risk Feeds
Domain Hotlist	✓	✓	✓
Domain Risk	✓	✓	✓
IP Hotlist	(coming soon)	(coming soon)	✓
IP Risk	(coming soon)	(coming soon)	✓

Discovery Feeds
Newly Active Domains (NAD)	✓	✓		✓
Newly Observed Domains (NOD)	✓	✓		✓
Newly Observed Hostnames (NOH)	✓	✓
Domain Discovery	✓	✓	✓
Parsed Domain RDAP	✓	✓
5-Minute Domain WHOIS			✓
5-Minute IP WHOIS			✓

Predictive risk feeds¶

Identify new, potentially risky infrastructure before it's used in attacks.

Domain Hotlist¶

The Domain Hotlist identifies malicious and currently operational apex-level domains with high Domain Risk Scores that have shown activity within the last 24 hours. Each entry includes a 24-hour expiration time, making it a focused alternative to the broader Domain Risk feed.

Use this feed when you need to:

Build high-confidence block lists
Identify currently active and highly risky domains for immediate action
Enhance SOC and Threat Intel workflows with log and alert enrichment
Create custom network or endpoint block rules
Triage domain-based alerts
Integrate as a blocklist into DNS resolvers via RPZ

Inclusion criteria: Apex-level domains with high Domain Risk Scores (≥70 Proximity OR ≥90 Phish OR ≥90 Malware OR ≥90 Spam) that have shown activity within the last 24 hours. Each entry expires after 24 hours.

View Domain Hotlist documentation

Domain Risk¶

The Domain Risk feed provides a continuous data stream of all newly-scored, high-risk domains, regardless of their recent activity. This offers a more comprehensive view of potentially dangerous infrastructure that may not be currently active but still poses a risk.

Use this feed when you need to:

Gain comprehensive visibility into potentially dangerous infrastructure
Enable proactive threat intelligence for early detection
Set up automated detection rules in TIPs or SIEMs
Trigger alerts when network devices communicate with high-risk domains
Create automated playbooks for domain enrichment
Prioritize threats more quickly

Inclusion criteria: All apex-level domains with a combined Domain Risk Score of 70 or higher, regardless of observed activity.

View Domain Risk documentation

IP Hotlist¶

The IP Hotlist identifies high-risk IP addresses hosting hostile domains that are observed to be active within a 24-hour time window. Each entry includes comprehensive risk scores and enrichment data to help prioritize threats based on hosting infrastructure.

Use this feed when you need to:

Block high-risk hosting infrastructure
Monitor active threat actor IP addresses
Correlate domain threats with hosting patterns
Build IP-based threat intelligence
Detect malicious hosting providers
Enrich security alerts with IP context

Inclusion criteria: More than 50% of domains on the IP have proximity score of 70+ OR Threat Profile score of 90+; pDNS activity on malicious domains within 24 hours.

View IP Hotlist documentation

IP Risk¶

The IP Risk feed provides comprehensive risk intelligence for all IP addresses known to be hosting domains. This feed includes extensive enrichment data such as threat scores, geographic information, ASN details, and domain hosting metrics.

Use this feed when you need to:

Monitor IP addresses hosting domains for threat intelligence
Analyze hosting infrastructure risk patterns
Correlate IP-based threats with domain activity
Build IP reputation databases
Detect suspicious hosting patterns
Enrich security alerts with IP risk context
Track threat actor infrastructure

Inclusion criteria: IP is actively hosting one or more domains (regardless of risk level).

View IP Risk documentation

Discovery feeds¶

Track new domains and hostnames as they appear.

Newly Active Domains (NAD)¶

The NAD feed lists domains that have become active in passive DNS, either for the first time or after a period of inactivity. This helps identify when a previously dormant domain is being repurposed, a common tactic for attackers.

Use this feed when you need to:

Detect the reactivation of previously dormant domains
Identify potentially suspicious infrastructure
Monitor domains that might be used for malicious activities
Integrate as a blocklist into DNS resolvers via RPZ

Inclusion criteria: Domains observed in passive DNS to be newly active in the latest lifecycle of the domain, either for the first time or after an inactive period of at least 10 days.

View Newly Active Domains documentation

Newly Observed Domains (NOD)¶

The NOD feed provides a real-time list of domains that have been observed for the first time in our global passive DNS sensor network. Use this feed for brand protection, corporate intelligence, and temporarily blocking outbound connections to brand-new domains until their reputation can be assessed.

Use this feed when you need to:

Identify newly registered domains for typosquatting (registering domains similar to popular brands) or brand abuse
Monitor the emergence of new domains relevant to your organization
Temporarily block access to newly observed domains to mitigate risks
Integrate as a blocklist into DNS resolvers via RPZ

Inclusion criteria: Domains observed in passive DNS for the first time.

View Newly Observed Domains documentation

Newly Observed Hostnames (NOH)¶

The NOH feed offers a more granular view by listing fully qualified domain names (FQDNs) the first time they are observed. This helps you detect threats like phishing and domain shadowing (creating malicious subdomains on compromised legitimate domains) that often use unique subdomains on legitimate-looking domains to evade detection.

Use this feed when you need to:

Detect phishing attempts using unique subdomains
Identify domain shadowing tactics
Enhance real-time threat detection with high-volume hostname data
Monitor subdomain creation on legitimate domains

Inclusion criteria: Fully qualified domain names (FQDNs) observed in passive DNS for the first time.

View Newly Observed Hostnames documentation

Domain Discovery¶

This feed contains the largest dataset of its kind, providing a daily list of all newly registered and newly observed domains from all TLDs, including those that don't publish zone files.

Use this feed when you need to:

Perform comprehensive domain monitoring for security and intelligence
Track the global landscape of new domain registrations
Identify emerging threats and trends related to new domain creation
Analyze patterns in domain registration activity

Inclusion criteria: All newly registered and newly observed domains from all TLDs, including TLDs that do not publish zone files.

View Domain Discovery documentation

Parsed Domain RDAP¶

This feed provides parsed and normalized domain information extracted from raw RDAP records, including contact information, registrar details, name servers, and important dates. Use this feed for efficient data searching, indexing, and automated processing in security workflows.

Use this feed when you need to:

Search for, index, or cross-reference data from RDAP records
Enable programmatic access to structured RDAP data
Analyze domain registration data to identify patterns
Track threat actors through registration information
Monitor changes in registration data for brand protection

Inclusion criteria: Changes to global domain registration information, populated by the Registration Data Access Protocol (RDAP).

View Parsed Domain RDAP documentation

5-Minute Domain WHOIS¶

The 5-Minute Domain WHOIS feed provides the most recently updated domain WHOIS records, processed on a 5-minute basis.

Use this feed when you need to:

Monitor domain registration changes in near real-time
Track WHOIS record updates for threat intelligence
Analyze domain ownership and contact information changes
Build domain registration databases
Detect suspicious registration patterns

Inclusion criteria: All domain names processed since the previous 5-minute update cycle.

View 5-Minute Domain WHOIS documentation

5-Minute IP WHOIS¶

The 5-Minute IP WHOIS feed provides the most recently updated IPv4 WHOIS records, processed on a 5-minute basis.

Use this feed when you need to:

Monitor IP address allocation and ownership changes
Track IP WHOIS record updates for threat intelligence
Analyze network infrastructure changes
Build IP intelligence databases
Correlate IP ownership with threat activity

Inclusion criteria: All IPv4 addresses processed since the previous 5-minute update cycle.

View 5-Minute IP WHOIS documentation

Need help?¶

API Reference: Complete endpoint documentation with interactive reference
Authentication issues: Contact enterprisesupport@domaintools.com
Questions about which feed to use: Review the feed descriptions above or contact your DomainTools counterpart