5-Minute IP WHOIS

The 5-Minute IP WHOIS feed provides the most recently updated IPv4 WHOIS records, processed on a 5-minute basis. This feed is available in both raw (unparsed) and parsed formats, making it suitable for various integration and analysis workflows.

Overview

This feed captures all IPv4 WHOIS records that have been updated since the previous 5-minute processing cycle. The feed is available in two versions:

• Raw version (5_min_ip_whois): Unparsed WHOIS data as received from Regional Internet Registries (RIRs)
• Parsed version (5_min_ip_whois_parsed): Structured JSON format with normalized fields

Use this feed when you need to:

• Monitor IP address allocation and ownership changes
• Track IP WHOIS record updates for threat intelligence
• Analyze network infrastructure changes
• Build IP intelligence databases
• Detect suspicious IP allocation patterns
• Automate network intelligence workflows
• Correlate IP ownership with threat activity

Inclusion criteria: All IPv4 addresses processed since the previous 5-minute update cycle.

Format: Gzip-compressed tab-separated (TSV) or JSON text files

Size: Up to 10MB per day

Requirements

You need the following to access Threat Feeds:

• An Enterprise Account with DomainTools, accessible at https://account.domaintools.com/my-account/
• Authentication credentials (API key for header authentication, or API username and key for HMAC or open key authentication)
• A way to interact with a REST API delivered through AWS CloudFront

Obtain your API credentials from your group's API administrator. API administrators can manage their API keys at https://research.domaintools.com, selecting the drop-down account menu and choosing API admin.

For assistance, contact enterprisesupport@domaintools.com.

Authentication

You can authenticate to the 5-Minute IP WHOIS API using three different methods. Choose the method that best fits your security requirements and technical environment.

API key (header) authentication

Authenticate your requests by including the API key in the header of each HTTP request. The API key serves as a unique identifier and authenticates your requests.

Required header:

X-Api-Key: YOUR_API_KEY

Examples:

# Raw WHOIS
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/5_min_ip_whois/'

# Parsed WHOIS
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/5_min_ip_whois_parsed/'

HMAC authentication

HMAC authentication is a secure alternative to API key-based methods. It requires signing each request with a SHA1 HMAC digest derived from your API secret, providing integrity and authenticity without exposing credentials directly in the request.

This method is recommended for systems where authentication credentials shouldn't be stored in plain text or included directly in request URLs.

DomainTools supports MD5, SHA1, and SHA256 for the hashing algorithm.

Required query parameters:

• api_username: Your DomainTools API username
• signature: HMAC-SHA1 signature of api_username + timestamp + uri_path
• timestamp: Current UTC timestamp in ISO 8601 format (for example, 2025-06-01T15:30:00Z)

Constructing the HMAC signature:

signature = HMAC-SHA1(api_key, api_username + timestamp + uri_path)

URI path must include API version

The uri_path parameter must include the API version prefix. For example, use /v1/feed/nod/ not /feed/nod/.

Example Python signing function:

import hmac
import hashlib

def sign(api_username, api_key, timestamp, uri):
    params = f"{api_username}{timestamp}{uri}"
    return hmac.new(api_key.encode("utf-8"), params.encode("utf-8"), hashlib.sha1).hexdigest()

HMAC timestamp requirements

The timestamp parameter in HMAC authentication must be current (within a few minutes of the server time). The timestamps shown in these examples are static for demonstration purposes. In production, generate a fresh timestamp for each request using your system's current time in ISO 8601 UTC format (e.g., 2025-01-06T15:30:00Z).

Examples:

# Raw WHOIS with HMAC
curl 'https://api.domaintools.com/v1/download/5_min_ip_whois/?api_username=YOUR_USERNAME&signature=HMAC_SIGNATURE&timestamp=2025-01-06T15:30:00Z'

# Parsed WHOIS with HMAC
curl 'https://api.domaintools.com/v1/download/5_min_ip_whois_parsed/?api_username=YOUR_USERNAME&signature=HMAC_SIGNATURE&timestamp=2025-01-06T15:30:00Z'

Open key authentication

This is the easiest authentication scheme to implement, but also the least secure. Each request contains the full API key and API username as query parameters. We recommend using API key header authentication or HMAC authentication instead.

If you're unsure about your authentication options, contact enterprisesupport@domaintools.com.

Required query parameters:

• api_username: Your API username
• api_key: Your API key

Examples:

# Raw WHOIS
curl 'https://api.domaintools.com/v1/download/5_min_ip_whois/?api_username=YOUR_USERNAME&api_key=YOUR_API_KEY'

# Parsed WHOIS
curl 'https://api.domaintools.com/v1/download/5_min_ip_whois_parsed/?api_username=YOUR_USERNAME&api_key=YOUR_API_KEY'

Daily Download API

The Daily Download API provides access to 5-minute IP WHOIS data through temporary AWS S3 file links. Files are organized by date and time, with new files generated every 5 minutes.

Base URLs

Raw WHOIS:

https://api.domaintools.com/v1/download/5_min_ip_whois/

Parsed WHOIS:

https://api.domaintools.com/v1/download/5_min_ip_whois_parsed/

Parameters

The Daily Download API supports standard download parameters:

api_username

Type: string (required for HMAC and open key auth)

Your DomainTools API username

api_key

Type: string (required for open key auth)

Your DomainTools API key

signature

Type: string (required for HMAC auth)

HMAC signature of your request

timestamp

Type: string (required for HMAC auth)

Current timestamp for HMAC authentication in ISO 8601 format

limit

Type: integer (optional)

Limit the list of signed files. Ordering of files is always descending, so the latest files are first.

page

Type: integer (optional)

Select which page of results are returned. Pages begin at 0 with latest results.

prefix

Type: string (optional)

Filter results by date and time using the file prefix (format: YYYYMMDDHHMM).

Example: ?prefix=2025062420 filters for files from June 24, 2025 at 8:00 PM

Response structure

The API returns a JSON response with signed URLs for downloadable files:

download_name (string): The feed identifier (5_min_ip_whois or 5_min_ip_whois_parsed)

files (array): List of downloadable file entries

Each file object contains:

• name (string): File path
• last_modified (string): Last modified date in ISO 8601 format
• etag (string): Entity tag (hash of the file)
• size (integer): Size in bytes
• url (string): Signed AWS CloudFront download URL (valid for 12 hours)

Response codes

200: OK - The request was successful

400: Bad request

401: Unauthorized

403: Forbidden

404: No data to download

File naming

Files follow this naming pattern:

Parsed version:

YYYYMMDDTTTT.json.gz

Raw version:

YYYYMMDDTTTT.gz

Where: - YYYYMMDD = Date (e.g., 20250624) - TTTT = Time in 24-hour format (e.g., 2000 for 8:00 PM)

Examples: - 202506242000.json.gz (parsed, June 24, 2025 at 8:00 PM) - 202506242000.gz (raw, June 24, 2025 at 8:00 PM)

File contents

Parsed version fields

The parsed version contains JSON with the following fields:

• RIR queried
• Net Range
• CIDR
• Net Name
• Net Handle
• Parent
• Net Type
• Origin AS
• Organization
• RegDate
• Updated
• Org Name
• Org ID
• City
• State
• Postal Code
• Country
• RegDate
• Updated
• Ref
• Referral Server
• OrgAbuseHandle
• OrgAbuseName
• OrgAbusePhone
• OrgAbuseEmail
• OrgAbuseRef
• OrgTechHandle
• OrgTechName
• OrgTechPhone
• OrgTechEmail
• OrgTechRef
• OrgNOCHandle
• OrgNOCName
• OrgNOCPhone
• OrgNOCEmail
• OrgNOCRef
• Comments
• Raw IP WHOIS data blob

Raw version format

The raw version contains unparsed IP WHOIS data as tab-separated values, with the raw WHOIS text for each IP address.

Examples

List available files (parsed version):

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/5_min_ip_whois_parsed/?limit=10'

Filter by date and hour:

# Get files from June 24, 2025 at 8:00 PM
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/5_min_ip_whois_parsed/?prefix=202506242000'

Download a specific file:

# Get the file list
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/5_min_ip_whois_parsed/?limit=1' > files.json

# Download the file
curl -o ip-whois-data.json.gz "$(jq -r '.response.files[0].url' files.json)"

# Decompress and view
gunzip ip-whois-data.json.gz
head ip-whois-data.json

Download raw version:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/5_min_ip_whois/?limit=1' > files.json

curl -o ip-whois-raw.gz "$(jq -r '.response.files[0].url' files.json)"

Related resources

• 5-Minute Domain WHOIS feed
• Domain Discovery feed