Domain Hotlist

The Domain Hotlist identifies malicious and currently operational apex-level domains with high Domain Risk Scores that have shown activity within the last 24 hours. Each entry includes a 24-hour expiration time, making it a focused alternative to the broader Domain Risk feed for building high-confidence block lists.

Overview

Domains are apex-level (for example, example.com but not www.example.com), and the feed includes only those with high risk scores that have been active in the last 24 hours.

Use this feed when you need to:

• Build high-confidence block lists
• Identify currently active and highly risky domains for immediate action
• Enhance SOC and Threat Intel workflows with log and alert enrichment
• Create custom network or endpoint block rules
• Triage domain-based alerts
• Integrate as a blocklist into DNS resolvers via RPZ

Inclusion criteria: Apex-level domains with high Domain Risk Scores that have shown activity within the last 24 hours. Each entry expires after 24 hours.

Requirements

You need the following to access Threat Feeds:

• An Enterprise Account with DomainTools, accessible at https://account.domaintools.com/my-account/
• Authentication credentials (API key for header authentication, or API username and key for HMAC or open key authentication)
• A way to interact with a REST API delivered through AWS CloudFront

Obtain your API credentials from your group's API administrator. API administrators can manage their API keys at https://research.domaintools.com, selecting the drop-down account menu and choosing API admin.

For assistance, contact enterprisesupport@domaintools.com.

Authentication

You can authenticate to the Domain Hotlist APIs using three different methods. Choose the method that best fits your security requirements and technical environment.

API key (header) authentication

Authenticate your requests by including the API key in the header of each HTTP request. The API key serves as a unique identifier and authenticates your requests.

Required header:

X-Api-Key: YOUR_API_KEY

Examples:

# Feed API request
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=myBlocklist'

# Download API request
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/domainhotlist/'

HMAC authentication

HMAC authentication is a secure alternative to API key-based methods. It requires signing each request with a SHA1 HMAC digest derived from your API secret, providing integrity and authenticity without exposing credentials directly in the request.

This method is recommended for systems where authentication credentials shouldn't be stored in plain text or included directly in request URLs.

DomainTools supports MD5, SHA1, and SHA256 for the hashing algorithm.

Required query parameters:

• api_username: Your DomainTools API username
• signature: HMAC-SHA1 signature of api_username + timestamp + uri_path
• timestamp: Current UTC timestamp in ISO 8601 format (for example, 2025-06-01T15:30:00Z)

Constructing the HMAC signature:

signature = HMAC-SHA1(api_key, api_username + timestamp + uri_path)

URI path must include API version

The uri_path parameter must include the API version prefix. For example, use /v1/feed/nod/ not /feed/nod/.

Example Python signing function:

import hmac
import hashlib

def sign(api_username, api_key, timestamp, uri):
    params = f"{api_username}{timestamp}{uri}"
    return hmac.new(api_key.encode("utf-8"), params.encode("utf-8"), hashlib.sha1).hexdigest()

Examples:

# Feed API request with HMAC
curl 'https://api.domaintools.com/v1/feed/domainhotlist/?api_username=YOUR_USERNAME&signature=HMAC_SIGNATURE&timestamp=2025-01-06T15:30:00Z&sessionID=myBlocklist'

# Download API request with HMAC
curl 'https://api.domaintools.com/v1/download/domainhotlist/?api_username=YOUR_USERNAME&signature=HMAC_SIGNATURE&timestamp=2025-01-06T15:30:00Z'

Open key authentication

This is the easiest authentication scheme to implement, but also the least secure. Each request contains the full API key and API username as query parameters. We recommend using API key header authentication or HMAC authentication instead.

If you're unsure about your authentication options, contact enterprisesupport@domaintools.com.

Required query parameters:

• api_username: Your API username
• api_key: Your API key

Examples:

# Feed API request
curl 'https://api.domaintools.com/v1/feed/domainhotlist/?api_username=YOUR_USERNAME&api_key=YOUR_API_KEY&sessionID=myBlocklist'

# Download API request
curl 'https://api.domaintools.com/v1/download/domainhotlist/?api_username=YOUR_USERNAME&api_key=YOUR_API_KEY'

Real-time Feed API

The Feed API provides real-time access to current Domain Hotlist data. Use this API to poll for the latest feed updates at regular intervals, maintain a session to track your position in the feed, and filter results based on your specific needs.

Base URL

https://api.domaintools.com/v1/feed/domainhotlist/

Rate limits

Real-time feeds have the following rate limits:

• 2 queries per minute
• 120 queries per hour

If you exceed these limits, the API returns an error.

Response formats

The API supports two response formats:

NDJSON (Newline-Delimited JSON)

• Default format when no Accept header is specified
• Also known as JSON Lines (JSONL)
• One JSON object per line
• Efficient for streaming and processing large datasets
• Set Accept: application/x-ndjson to explicitly request this format

CSV (Comma-Separated Values)

• Set Accept: text/csv to request CSV format
• Add &headers=1 to the query parameters to include column headers as the first line
• Not available for all feeds (for example, the Parsed Domain RDAP feed doesn't support CSV)

Session management

Session management allows you to maintain your position in the feed data stream, ensuring you don't miss or duplicate events when polling the API.

How sessions work:

• Start a new session: Provide a unique sessionID parameter of your choosing. By default, the API returns the past hour of results.
• Resume a session: Use the same sessionID in subsequent requests. The API returns all data since your last request.
• Handle large result sets: If a single request exceeds 10M results, the API returns an HTTP 206 response code. Repeat the same request with the same sessionID to receive the next batch of data until you receive an HTTP 200 response code.
• Delete a session: Use an HTTP DELETE request with your sessionID to clear the saved offset and start fresh.

Session ID requirements:

• 1 to 64 characters in length
• Alphanumeric characters and hyphens only ([a-zA-Z0-9-]+)
• Case-sensitive

Quick start

The standard access pattern is to periodically request the most recent feed data, as often as every 60 seconds.

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=myBlocklist'

This starts a new session and returns the last hour of data. Subsequent calls with the same sessionID return data since the last request.

Parameters

sessionID

Type: String

Valid values: 1-64 alphanumeric characters and hyphens ([a-zA-Z0-9-]+)

Description: A unique identifier for the session, used for resuming data retrieval from the last point. Use a new sessionID to begin a new session, fetching the most recent hour by default. Reuse the same sessionID to return all feed data since your last request. If omitted, time window parameters (such as after/before) are required.

Example: sessionID=mySOC

Required: Yes, to continue where you left off (or use after/before instead)

after

Type: Integer or string

Valid values:

• Integer: -1 to -432,000 (relative seconds before current time)
• String: ISO 8601 datetime in UTC format (YYYY-MM-DDTHH:MM:SSZ)

Description: The start of the query window (inclusive). When using an integer, the value is in seconds relative to the current time. When using a string, provide an absolute timestamp. The timestamp must represent a point between 1 second ago and 5 days ago, relative to the current UTC time.

Example: after=-60 or after=2024-10-16T10:20:00Z

Required: Yes, if before or sessionID not provided

before

Type: Integer or string

Valid values:

• Integer: -1 to -432,000 (relative seconds before current time)
• String: ISO 8601 datetime in UTC format (YYYY-MM-DDTHH:MM:SSZ)

Description: The end of the query window (inclusive). When using an integer, the value is in seconds relative to the current time. When using a string, provide an absolute timestamp. The timestamp must represent a point between 1 second ago and 5 days ago, relative to the current UTC time.

Example: before=-120 or before=2024-10-16T10:20:00Z

Required: Yes, if after or sessionID not provided

domain

Type: String

Valid values: Domain character set restricted by the DNS specification (letters, digits, hyphens). International characters should be specified in punycode. A trailing dot is acceptable.

Description: Filter for an exact domain or a domain substring by prefixing or suffixing your string with *. Multiple parameters are supported (for example, ?domain=*apple*&domain=*microsoft*). The URL-encoded version of * (%2A) may be required in some clients.

Example: domain=*bank* or domain=example.com

Required: No

fromBeginning

Type: Boolean

Valid values: true

Description: Functions with new session IDs to return the first hour (rather than the last). Returns an error if the session ID already exists. Only the value true is accepted; any other value (including false) will be ignored or treated as omitted.

Example: fromBeginning=true

Required: No

top

Type: Integer

Valid values: Positive integer, 1-1,000,000,000

Description: Limits the number of results in the response payload. Primarily intended for testing. When you apply this parameter to risk feeds, results are sorted by overall_risk (descending).

Example: top=10

Required: No

headers

Type: Integer

Valid values: 1

Description: Adds a header row as the first line of the response when text/csv is requested. Set headers=1 to enable. Only applies when requesting CSV format. Only the value 1 is accepted; any other value is invalid.

Example: headers=1

Required: No

Domain Hotlist filter parameters

Type: integer (optional)

Range: 1-99

Filter results to include only domains with risk scores greater than or equal to the specified threshold.

You can apply multiple risk score filters simultaneously. When multiple filters are used, domains must meet ALL specified thresholds to be included in the results.

Available risk score filters:

• overall_min - Minimum overall risk score
• malware_min - Minimum malware risk score
• phishing_min - Minimum phishing risk score
• spam_min - Minimum spam risk score
• proximity_min - Minimum proximity risk score

Example:

# Filter for domains with overall risk ≥ 80 and phishing risk ≥ 70
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?overall_min=80&phishing_min=70&sessionID=mySession'

Response structure

The API returns NDJSON format with one domain per line.

About Domain Risk Scores:

Domain Risk Scores predict the likelihood that a domain was registered with malicious intent. Each score ranges from 0-100, with special meanings for 0 (zero-listed/known legitimate) and 100 (blocklisted/known-bad). Regular scores range from 1-99, with null values indicating the domain has aged out of that threat profile.

Score Range	Score Color	Description
100	Red	Blocklisted. These domains can be considered known-bad, and have the highest likelihood of malicious intent. This includes sinkholed domains. DomainTools combines third party blocklists with our own scoring to determine which domains to blocklist.
90-99	Red	Strong confidence in near-term weaponization.
70-89	Orange	A potential threshold for suggesting malicious intent, and our default recommendation for significance in an investigation. Individual mileage may vary, depending on your security context and priorities.
50-69	Yellow	May require attention, depending on your security posture.
1-49	Grey	Very little evidence of malicious intent.
0	Grey	Zero-listed. DomainTools zero-lists a domain when we have no evidence that it was registered with malicious intent. Zero-listing guards well-known legitimate domains against accidental blocking and includes domains which are vital to the expected operation of the Internet.

See the Domain Risk Score user guide for complete details.

Response fields:

timestamp (string): ISO 8601 UTC timestamp when the domain was scored or observed

domain (string): The apex-level domain name

phishing_risk (integer, nullable): Phishing risk score (0-100), or null if not applicable

malware_risk (integer, nullable): Malware risk score (0-100), or null if not applicable

spam_risk (integer, nullable): Spam risk score (0-100), or null if not applicable

proximity_risk (integer): Proximity risk score (0-100)

overall_risk (integer): Overall combined risk score (0-100)

expires (string): ISO 8601 UTC timestamp when this entry expires (24 hours from initial observation)

Example response:

{"timestamp":"2025-01-06T15:30:42Z","domain":"malicious-example.com","phishing_risk":75,"malware_risk":85,"spam_risk":88,"proximity_risk":99,"overall_risk":99,"expires":"2025-01-07T15:30:42Z"}
{"timestamp":"2025-01-06T15:30:45Z","domain":"suspicious-domain.net","phishing_risk":null,"malware_risk":null,"spam_risk":null,"proximity_risk":95,"overall_risk":95,"expires":"2025-01-07T15:30:45Z"}

Response codes

Code	Status	Description
200	OK	The request was successful and all data has been delivered
206	Partial content	The request was successful, but only a portion of the data was returned. The request exceeded 10M results or the 1-hour evaluation window. Repeat the same request with the same sessionID to receive the next batch of data until you receive an HTTP 200 response
400	Bad request	The request is malformed
403	Forbidden	Missing or invalid API credentials
404	Not found	The requested resource (such as a sessionID) doesn't exist
406	Not acceptable	The specified Accept header value isn't supported. Only application/x-ndjson and text/csv are accepted
422	Unprocessable entity	The request is syntactically valid but violates semantic or domain-specific rules (for example, invalid query parameter values)

Examples

Basic session polling:

# Start a new session
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=myBlocklist'

# Resume the session (returns data since last request)
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=myBlocklist'

Time window filtering:

# Get data from a specific time range
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?after=2025-01-06T10:00:00Z&before=2025-01-06T11:00:00Z'

Domain filtering:

# Filter for specific domain patterns
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?domain=*.example.com&sessionID=myBlocklist'

CSV format:

# Request CSV format with headers
curl -H 'Accept: text/csv' -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?headers=1&sessionID=myBlocklist'

# Request CSV format without headers
curl -H 'Accept: text/csv' -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=myBlocklist'

Risk score filtering:

# Filter for domains with overall risk ≥ 90
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?overall_min=90&sessionID=myBlocklist'

# Filter for domains with high phishing and malware risk
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?phishing_min=80&malware_min=80&sessionID=myBlocklist'

Handling large result sets:

# If you receive HTTP 206, repeat the request to get the next batch
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=myBlocklist'

# Repeat until you receive HTTP 200
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=myBlocklist'

Delete a session:

# Clear the saved offset and start fresh
curl -X DELETE -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=myBlocklist'

Real-time Download API

The Real-time Download API provides access to historical Domain Hotlist data through temporary AWS S3 file links. Use this API to retrieve archived data you may have missed or to backfill your systems with historical information. Files are organized by hour and available for 90 days.

Base URL

https://api.domaintools.com/v1/download/domainhotlist/

Parameters

limit

Type: Integer

Valid values: Positive integer

Description: Limits the number of files returned in the response, starting from the most recent. Use to control payload size or test specific cases.

Example: limit=10

Required: No

Response structure

The API returns a JSON response containing an array of downloadable files. Each file entry includes:

download_name (string): The feed identifier (domainhotlist)

files (array): List of downloadable file entries

Each file object contains:

Field	Type	Description
name	string	Path and filename of the downloadable file
last_modified	string	Timestamp of last modification in ISO 8601 UTC format
etag	string	ETag (hash) used to verify file identity and versioning
size	integer	File size in bytes
url	string	Temporary signed URL to download the file from AWS CloudFront

File naming convention:

• Data file: domainhotlist/{YYYY-MM-DD}/domainhotlist-{YYYYMMDD}.{HH00}-{HH00}.json.gz
• Checksum file: domainhotlist/{YYYY-MM-DD}/domainhotlist-{YYYYMMDD}.{HH00}-{HH00}.json.gz.sha256

Example response:

{
  "response": {
    "download_name": "domainhotlist",
    "files": [
      {
        "name": "domainhotlist/2024-11-19/domainhotlist-20241119.1900-2000.json.gz.sha256",
        "last_modified": "2024-11-19T20:00:11+00:00",
        "etag": "\"67a6d9b0973b2d31ffb779dc8f7f8cfa\"",
        "size": 64,
        "url": "https://download.example.com/domainhotlist/2024-11-19/domainhotlist-20241119.1900-2000.json.gz.sha256?Expires=..."
      },
      {
        "name": "domainhotlist/2024-11-19/domainhotlist-20241119.1900-2000.json.gz",
        "last_modified": "2024-11-19T20:00:11+00:00",
        "etag": "\"67a6d9b0973b2d31ffb779dc8f7f8cfa\"",
        "size": 245000,
        "url": "https://download.example.com/domainhotlist/2024-11-19/domainhotlist-20241119.1900-2000.json.gz?Expires=..."
      }
    ]
  }
}

Response codes

Code	Status	Description
200	OK	The request was successful
400	Bad request	The request is malformed
403	Forbidden	Missing or invalid API credentials
422	Unprocessable entity	The request is syntactically valid but violates semantic or domain-specific rules (for example, invalid query parameter values)

File contents

The *.json.gz.sha256 file is a checksum containing a SHA-256 hash value used to verify the integrity of the downloaded file.

The *.json.gz file, when uncompressed, contains JSON data in the same format as the Feed API response (NDJSON with timestamp, domain, risk score fields, and expires).

Examples

List available files:

# Get the most recent files
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/domainhotlist/?limit=10'

Download and verify a file:

# Get the file list
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/domainhotlist/?limit=2' > files.json

# Extract the URL and download the data file
curl -o domainhotlist-data.json.gz "$(jq -r '.response.files[1].url' files.json)"

# Download the checksum file
curl -o domainhotlist-data.json.gz.sha256 "$(jq -r '.response.files[0].url' files.json)"

# Verify the integrity
sha256sum -c domainhotlist-data.json.gz.sha256

Batch processing:

# Download multiple files in a loop
for url in $(curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/domainhotlist/?limit=24' | \
  jq -r '.response.files[].url' | grep '\.json\.gz$'); do
  curl -O "$url"
done

Daily Download API

The Daily Download API provides daily batch summaries as an alternative to hourly real-time data. Use this when you need daily aggregated data rather than real-time updates.

Overview

Daily feed of high-risk domains that are observed to be active within a 24 hour time window.

The Daily Domain Hotlist is available in multiple variants, each filtered by different risk score thresholds. All variants require passive DNS activity within 24 hours.

Inclusion threshold: Varies by variant. See File naming section below.

Format: Tab-separated text file (gzipped); one domain per line with component risk scores

Size: ~900,000 domains, ~3.5MB compressed

Note: The Daily Domain Hotlist is also available in RPZ format. Contact enterprisesupport@domaintools.com for information about RPZ delivery.

Base URL

https://api.domaintools.com/v1/download/daily_domain_hotlist/

Parameters

The Daily Download API supports standard download parameters:

api_username

Type: string (required for HMAC and open key auth)

Your DomainTools API username

api_key

Type: string (required for open key auth)

Your DomainTools API key

signature

Type: string (required for HMAC auth)

HMAC signature of your request

timestamp

Type: string (required for HMAC auth)

Current timestamp for HMAC authentication in ISO 8601 format

limit

Type: integer (optional)

Limit the list of signed files. Ordering of files is always descending, so the latest files are first.

page

Type: integer (optional)

Select which page of results are returned. Pages begin at 0 with latest results.

prefix

Type: string (optional)

Filter results by date using the file prefix.

Response structure

The API returns a JSON response with signed URLs for downloadable files:

download_name (string): The feed identifier (daily_domain_hotlist)

files (array): List of downloadable file entries

Each file object contains:

Field	Type	Description
name	string	File path (e.g., daily_domain_hotlist/99s.domainhotlist.gz)
last_modified	string	Last modified date in ISO 8601 format
etag	string	Entity tag (hash of the file)
size	integer	Size in bytes
url	string	Signed AWS CloudFront download URL (valid for 12 hours)

Response codes

Code	Status	Description
200	OK	The request was successful
400	Bad request	Invalid request parameters
401	Unauthorized	Missing or invalid authentication
403	Forbidden	Insufficient permissions
404	No data to download	No files available

File naming

The Daily Domain Hotlist is available in five variants, filtered by Domain Risk Score thresholds:

• 90s.domainhotlist.gz: Domains with Proximity ≥ 70 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)
• 95s.domainhotlist.gz: Domains with Proximity ≥ 85 OR (Malware Risk ≥ 95 AND Phishing Risk ≥ 95)
• 99s.domainhotlist.gz: Domains with Proximity ≥ 85 OR (Malware Risk ≥ 99 AND Phishing Risk ≥ 99)
• 1k.domainhotlist.gz: Top 1,000 highest-risk domains with Proximity ≥ 75 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)
• 100k.domainhotlist.gz: Top 100,000 highest-risk domains with Proximity ≥ 75 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)

All variants require passive DNS activity within 24 hours.

File contents

The tab-separated file contains one domain per line with the following fields:

• Domain Name: The apex-level domain
• Phishing: Machine learning classifier prediction for phishing (0-100)
• Malware: Machine learning classifier prediction for malware (0-100)
• Spam: Machine learning classifier prediction for spam (0-100)
• Proximity: Indicates shared registration or infrastructure with known-bad domains (0-100)

Example line:

example.com 75  85  88  99

The risk score fields are used to filter domains into the different hotlist variants as described in the File naming section. For detailed information about these scores, see the Domain Risk Score user guide.

Examples

List available files:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/daily_domain_hotlist/'

Download a specific file:

# Get the file list
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/daily_domain_hotlist/?limit=1' > files.json

# Download the file
curl -o daily-domain-hotlist.gz "$(jq -r '.response.files[0].url' files.json)"

# Decompress and view
gunzip daily-domain-hotlist.gz
head daily-domain-hotlist

RPZ Access

The Domain Hotlist feed is available via Response Policy Zone (RPZ) for direct integration with DNS firewalls.

Overview

Response Policy Zone (RPZ) provides DNS-level blocking by integrating threat feeds directly into your DNS resolver. This allows you to automatically block or redirect DNS queries for domains in the feed, providing real-time protection before connections are established.

How RPZ works:

When a user attempts to access a domain in the RPZ feed, your DNS resolver responds with an NXDOMAIN ("no such domain") status code, effectively making the domain unavailable. This blocks malicious domains at the DNS layer, preventing endpoint communication before any connection is established.

Benefits:

• Real-time protection: Blocks threats at the DNS resolver level
• Automatic updates: Receives updates via DNS zone transfers (AXFR/IXFR)
• No client configuration: Works transparently for all clients using your DNS resolver
• Efficient: Minimal performance impact on DNS resolution
• Standard protocol: Uses DNS Response Policy Zones specification

Zone naming format:

RPZ zones are named using the pattern: [interval].[feed].rpz.domaintools.com

Available time intervals: 5m, 10m, 30m, 1h, 3h, 12h (and 24h for some feeds)

Larger time intervals are supersets that include smaller intervals. Smaller intervals have smaller zone sizes and may be available faster.

Available zones

The Domain Hotlist feed is available in the following RPZ zones:

• 1k.domainhotlist.rpz.domaintools.com - Top 1,000 highest-risk domains with Proximity ≥ 75 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)
• 100k.domainhotlist.rpz.domaintools.com - Top 100,000 highest-risk domains with Proximity ≥ 75 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)
• 90s.domainhotlist.rpz.domaintools.com - Domains with Proximity ≥ 70 OR (Malware Risk ≥ 90 AND Phishing Risk ≥ 90)
• 95s.domainhotlist.rpz.domaintools.com - Domains with Proximity ≥ 85 OR (Malware Risk ≥ 95 AND Phishing Risk ≥ 95)
• 99s.domainhotlist.rpz.domaintools.com - Domains with Proximity ≥ 85 OR (Malware Risk ≥ 99 AND Phishing Risk ≥ 99)

All zones require passive DNS activity within the last 24 hours.

Choosing a zone:

• Smaller numbers = higher confidence, lower volume: The 1k and 99s zones contain the highest-risk domains with the fewest false positives
• Larger numbers = broader coverage, higher volume: The 100k and 90s zones provide more comprehensive coverage but may include more borderline cases
• Choose based on your risk tolerance and infrastructure capacity

Configuration

Configuration requirements:

To access RPZ feeds, you need to:

1. Provide IP addresses: Contact enterprisesupport@domaintools.com with:
2. IP address(es) from which you connect to the RPZ provider DNS server

3. IP address(es) to receive DNS NOTIFY messages (typically the same)

4. Configure firewall: Add rules to allow DomainTools hosts to send UDP packets to port 53:

5. IPv4: 104.244.14.88 Port: 53

6. IPv4: 104.244.14.89 Port: 53

7. Set up TSIG authentication: DomainTools uses TSIG (Secret Key Transaction Authentication) for authorization:

8. TSIG key algorithm: hmac-sha512
9. TSIG key and key name: Provided by DomainTools Enterprise Support

Delivery method:

RPZ feeds are delivered via:

• Incremental Zone Transfers (IXFR)
• Full zone transfers (AXFR)
• DNS NOTIFY messages to trigger zone updates

For detailed configuration instructions, including DNS resolver setup, advanced features (allowlists, walled gardens, logging), and troubleshooting, see the Response Policy Zone documentation.

Testing

Testing your RPZ configuration:

When your DNS resolver blocks a domain using RPZ, the response includes an SOA (Start of Authority) record that identifies which RPZ feed was used.

Test domain:

Each RPZ feed includes a test domain entry: test.rpz.domaintools.test

Use this to verify the RPZ feed is loaded and working. A successful test returns:

• NXDOMAIN status code
• SOA record in the ADDITIONAL section showing the specific feed name

Example SOA record:

;; ADDITIONAL SECTION:
3h.nad.rpz.domaintools.com. 86400 IN SOA rpz-ns1.domaintools.com. noc.domaintools.com. 946684799 600 300 86400 86400

The SOA SERIAL number (Unix epoch timestamp) indicates when the feed was last regenerated.

Troubleshooting:

If the SOA record appears in the AUTHORITY section instead of ADDITIONAL, or doesn't show the specific feed name, the response didn't come from RPZ. Check your DNS resolver's RPZ-related logs for additional debugging information.

Examples

Test the RPZ feed:

# Query the test domain
dig test.rpz.domaintools.test

# Expected response includes NXDOMAIN and SOA record showing the feed name
# Example SOA in ADDITIONAL section:
# 1k.domainhotlist.rpz.domaintools.com. 86400 IN SOA rpz-ns1.domaintools.com. ...

Verify a specific zone is loaded:

# Test with the top 1,000 highest-risk zone
dig @your-dns-server test.rpz.domaintools.test

# Check the SOA record shows: 1k.domainhotlist.rpz.domaintools.com

Related resources

• Domain Risk feed
• Newly Active Domains feed
• Domain Risk Score user guide
• Response Policy Zone documentation