IP Risk

The IP Risk feed provides risk intelligence for all IP addresses that host domains, regardless of risk level. This feed includes enrichment data: threat scores, geographic information, ASN details, and domain hosting metrics.

Overview

This feed captures all IP addresses that actively host one or more domains, providing risk assessment and enrichment data for each IP address. The feed includes both confirmed threats from third-party intelligence feeds and predictive risk scores based on DomainTools machine learning models.

Use this feed when you need to:

• Monitor IP addresses hosting domains for threat intelligence
• Analyze hosting infrastructure risk patterns
• Correlate IP-based threats with domain activity
• Build IP reputation databases
• Detect suspicious hosting patterns
• Enrich security alerts with IP risk context
• Track threat actor infrastructure

Inclusion criteria: IP address actively hosts one or more domains (regardless of risk level).

Daily download format: Gzip-compressed tab-separated (TSV) text file

Size: 15-20 million IP addresses, ~200MB compressed

Quick Start

Get started with the IP Risk feed in under 60 seconds using the Real-time Feed API:

# Start polling for IP risk data
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySession'

This returns the last hour of data. Call again with the same sessionID to get only new data since your last request. See Real-time Feed API for complete details and Authentication for auth options.

Requirements

You need the following to access Threat Feeds:

• An Enterprise Account with DomainTools, accessible at https://account.domaintools.com/my-account/
• Authentication credentials (API key for header authentication, or API username and key for HMAC or open key authentication)
• A way to interact with a REST API delivered through AWS

Obtain your API credentials from your group's API administrator. API administrators can manage their API keys at https://research.domaintools.com, selecting the drop-down account menu and choosing API admin.

For assistance, contact enterprisesupport@domaintools.com.

Authentication

You can authenticate to the IP Risk API using three different methods. Choose the method that best fits your security requirements and technical environment.

API key (header) authentication

Authenticate your requests by including the API key in the header of each HTTP request. The API key serves as a unique identifier and authenticates your requests.

Required header:

X-Api-Key: YOUR_API_KEY

Examples:

# Feed API request
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySession'

# Download API request
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/iprisk/'

HMAC (Hash-based Message Authentication Code) authentication

HMAC authentication is a secure alternative to API key-based methods. It requires signing each request with an HMAC digest derived from your API key, providing integrity and authenticity without exposing credentials directly in the request.

This method is recommended for systems where authentication credentials shouldn't be stored in plain text or included directly in request URLs.

DomainTools supports MD5, SHA1, and SHA256 for the hashing algorithm. Use SHA256 — it's the recommended choice and is more resistant to collision attacks than MD5 or SHA1.

Required query parameters:

• api_username: Your DomainTools API username
• signature: HMAC-SHA256 signature of api_username + timestamp + uri_path
• timestamp: Current UTC timestamp in ISO 8601 format (for example, 2025-06-01T15:30:00Z)

Constructing the HMAC signature:

signature = HMAC-SHA256(api_key, api_username + timestamp + uri_path)

URI path must include API version

The uri_path parameter must include the API version prefix. For example, use /v1/feed/nod/ not /feed/nod/.

Example Python signing function:

import hmac
import hashlib

def sign(api_username, api_key, timestamp, uri):
    params = f"{api_username}{timestamp}{uri}"
    return hmac.new(api_key.encode("utf-8"), params.encode("utf-8"), hashlib.sha256).hexdigest()

HMAC timestamp requirements

The timestamp parameter in HMAC authentication must be current (within a few minutes of the server time). The timestamps shown in these examples are static for demonstration purposes. In production, generate a fresh timestamp for each request using your system's current time in ISO 8601 UTC format (e.g., 2025-01-06T15:30:00Z).

Examples:

# Feed API request with HMAC
curl 'https://api.domaintools.com/v1/feed/iprisk/?api_username=YOUR_USERNAME&signature=HMAC_SIGNATURE&timestamp=2025-01-06T15:30:00Z&sessionID=mySession'

# Download API request with HMAC
curl 'https://api.domaintools.com/v1/download/iprisk/?api_username=YOUR_USERNAME&signature=HMAC_SIGNATURE&timestamp=2025-01-06T15:30:00Z'

Open key authentication

This is the easiest authentication scheme to implement, but also the least secure. Each request contains the full API key and API username as query parameters. We recommend using API key header authentication or HMAC authentication instead.

If you're unsure about your authentication options, contact enterprisesupport@domaintools.com.

Required query parameters:

• api_username: Your API username
• api_key: Your API key

Examples:

# Feed API request
curl 'https://api.domaintools.com/v1/feed/iprisk/?api_username=YOUR_USERNAME&api_key=YOUR_API_KEY&sessionID=mySession'

# Download API request
curl 'https://api.domaintools.com/v1/download/iprisk/?api_username=YOUR_USERNAME&api_key=YOUR_API_KEY'

Real-time Feed API

The Real-time Feed API provides streaming access to IP Risk data as risk assessments are updated. This enables real-time monitoring of hosting infrastructure threats and immediate detection of changes in IP risk profiles.

Base URL

https://api.domaintools.com/v1/feed/iprisk/

Feed API rate limits

Real-time feeds have the following rate limits:

• 2 queries per minute
• 120 queries per hour

If you exceed these limits, the API returns an error.

Feed API response formats

The API supports two response formats:

NDJSON (Newline-Delimited JSON)

• Default format when no Accept header is specified
• Also known as JSON Lines (JSONL)
• One JSON object per line
• Efficient for streaming and processing large datasets
• Set Accept: application/x-ndjson to explicitly request this format

CSV (Comma-Separated Values)

• Set Accept: text/csv to request CSV format
• Add &headers=1 to the query parameters to include column headers as the first line
• Not available for all feeds; check the specific feed documentation for CSV support

Feed API session management

Session management allows you to maintain your position in the feed data stream, ensuring you don't miss or duplicate events when polling the API.

How sessions work:

• Start a new session: Provide a unique sessionID parameter of your choosing. By default, the API returns the past hour of results.
• Resume a session: Use the same sessionID in subsequent requests. The API returns all data since your last request.
• Handle large result sets: If a single request exceeds 10M results, the API returns an HTTP 206 response code. Repeat the same request with the same sessionID to receive the next batch of data until you receive an HTTP 200 response code.
• One request at a time: Do not send simultaneous requests with the same sessionID for the same feed. Wait for each request to complete before sending the next one. Concurrent requests with the same sessionID can produce errors or incomplete results.
• Delete a session: Use an HTTP DELETE request with your sessionID to clear the saved offset and start fresh.

Session ID requirements:

• 1 to 64 characters in length
• Alphanumeric characters and hyphens only ([a-zA-Z0-9-]+)
• Case-sensitive

Feed API quick start

Start a new session:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySOC'

A new sessionID returns the last hour of data by default.

Continue polling for new updates:

# Call again with the same sessionID to get only new data since last call
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySOC'

Feed API parameters

Session management

sessionID

Type: String

Valid values: 1-64 alphanumeric characters and hyphens ([a-zA-Z0-9-]+)

Description: A unique identifier for the session, used for resuming data retrieval from the last point. Use a new sessionID to begin a new session, fetching the most recent hour by default. Reuse the same sessionID to return all feed data since your last request. If omitted, time window parameters (such as after/before) are required.

Example: sessionID=mySOC

Required: Yes, to continue where you left off (or use after/before instead)

after

Type: Integer or string

Valid values:

• Integer: -1 to -432,000 (relative seconds before current time)
• String: ISO 8601 datetime in UTC format (YYYY-MM-DDTHH:MM:SSZ)

Description: The start of the query window (inclusive). When using an integer, the value is in seconds relative to the current time. When using a string, provide an absolute timestamp. The timestamp must represent a point between 1 second ago and 5 days ago, relative to the current UTC time.

Example: after=-60 or after=2024-10-16T10:20:00Z

Required: Yes, if before or sessionID not provided

before

Type: Integer or string

Valid values:

• Integer: -1 to -432,000 (relative seconds before current time)
• String: ISO 8601 datetime in UTC format (YYYY-MM-DDTHH:MM:SSZ)

Description: The end of the query window (inclusive). When using an integer, the value is in seconds relative to the current time. When using a string, provide an absolute timestamp. The timestamp must represent a point between 1 second ago and 5 days ago, relative to the current UTC time.

Example: before=-120 or before=2024-10-16T10:20:00Z

Required: Yes, if after or sessionID not provided

fromBeginning

Type: Boolean

Valid values: true

Description: Requires a sessionID. When used with a new session ID, returns the first hour of data in the time window (rather than the last). Returns an error if the session ID already exists — drop fromBeginning from subsequent requests after the first call. Only the value true is accepted; any other value (including false) is ignored.

Example: fromBeginning=true

Required: No

Query filters

ip

Type: string (optional)

Filter for a specific IPv4 address.

Example:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/FEEDNAME/?sessionID=mySOC&ip=192.0.2.1'

Result formatting

top

Type: Integer

Valid values: Positive integer, 1-1,000,000,000

Description: Limits the number of results in the response payload. Primarily intended for testing. When you apply this parameter to risk feeds, results are sorted by all_threats_combined_percent (descending).

Example: top=10

Required: No

Note: When using the top parameter with IP Risk, results are sorted by all_threats_combined_percent (descending), returning the highest-risk IPs first.

headers

Type: Integer

Valid values: 1

Description: Adds a header row as the first line of the response when text/csv is requested. Set headers=1 to enable. Only applies when requesting CSV format. Only the value 1 is accepted; any other value is invalid.

Example: headers=1

Required: No

Feed API response structure

The Feed API returns NDJSON (newline-delimited JSON) with one IP entry per line. Each entry includes a timestamp field indicating when the risk assessment was updated, plus all IP risk and enrichment fields.

Response fields:

timestamp (string): ISO 8601 UTC timestamp when the risk assessment was updated

Note: For real-time feeds, the total_domains field reflects domains seen over the last 30 days (not 7 days as in the daily feed).

Example response:

{"timestamp":"2025-01-06T15:30:42Z","ip":"192.0.2.10","asn":12345,"organization":"Example Hosting LLC","city":"Amsterdam","country":"NL","latitude":52.3676,"longitude":4.9041,"pdns_resolutions":12,"bad_pdns_resolutions":3,"total_domains":47,"zerolist_domains":2,"zerolist_ip":false,"third_party_threats":2,"all_threats_combined_count":5,"all_threats_combined_percent":10.6,"all_threats_percent":10.6,"combined_phishing_percent":6.4,"combined_malware_percent":8.5,"combined_spam_percent":4.3,"malicious_phishing":1,"malicious_malware":2,"malicious_spam":1,"percent_phishing":2.1,"percent_malware":4.3,"percent_spam":2.1,"compromised_phishing":0,"compromised_malware":1,"compromised_spam":0,"predicted_phishing":1,"predicted_malware":2,"predicted_spam":1}
{"timestamp":"2025-01-06T15:30:45Z","ip":"192.0.2.11","asn":67890,"organization":"Cloud Provider Corp","city":"Frankfurt","country":"DE","latitude":50.1109,"longitude":8.6821,"pdns_resolutions":5,"bad_pdns_resolutions":0,"total_domains":18,"zerolist_domains":0,"zerolist_ip":false,"third_party_threats":0,"all_threats_combined_count":1,"all_threats_combined_percent":5.6,"all_threats_percent":5.6,"combined_phishing_percent":0.0,"combined_malware_percent":5.6,"combined_spam_percent":0.0,"malicious_phishing":0,"malicious_malware":0,"malicious_spam":0,"percent_phishing":0.0,"percent_malware":0.0,"percent_spam":0.0,"compromised_phishing":0,"compromised_malware":0,"compromised_spam":0,"predicted_phishing":0,"predicted_malware":1,"predicted_spam":0}

IP and infrastructure fields

Field	Description
ip	IP address that has www/apex domains pointing to it
asn	The IP's ASN (autonomous system number, routing provider)
organization	Organization associated with IP range based on geo data
city	City based on IP geo data
country	Country based on IP geo data
latitude	Geographic coordinates
longitude	Geographic coordinates

Domain activity metrics

Field	Description
pdns_resolutions	Number of domains seen on the IP in the last 24 hours
bad_pdns_resolutions	Number of confirmed bad domains seen on the IP in the last 24 hours
total_domains	Total number of domains seen on this IP in the last 7 days
zerolist_domains	Number of zero-listed domains seen on this IP
zerolist_ip	Indicates if this IP is zero-listed (e.g., CDN)

Threat intelligence metrics

Field	Description
third_party_threats	Number of domains on IP confirmed with any threat on a third-party intel feed
all_threats_combined_count	Number of confirmed or predicted domains on third-party intel feed or threat profile
all_threats_combined_percent	Percentage of domains that are confirmed or predicted malicious
all_threats_percent	Percentage of domains including all threat types

Combined threat predictions

Field	Description
combined_phishing_percent	Percentage of domains confirmed or predicted as phishing
combined_malware_percent	Percentage of domains confirmed or predicted as malware
combined_spam_percent	Percentage of domains confirmed or predicted as spam

Confirmed malicious threats

Field	Description
malicious_phishing	Number of malicious phishing domains on third-party intel feeds
malicious_malware	Number of malicious malware domains on third-party intel feeds
malicious_spam	Number of malicious spam domains on third-party intel feeds
percent_phishing	Percentage of domains that are confirmed phishing
percent_malware	Percentage of domains that are confirmed malware
percent_spam	Percentage of domains that are confirmed spam

Compromised threats

Field	Description
compromised_phishing	Number of compromised phishing domains on third-party intel feeds
compromised_malware	Number of compromised malware domains on third-party intel feeds
compromised_spam	Number of compromised spam domains on third-party intel feeds

Predicted threats

Field	Description
predicted_phishing	Number of domains (with no confirmed threat) predicted as phishing
predicted_malware	Number of domains (with no confirmed threat) predicted as malware
predicted_spam	Number of domains (with no confirmed threat) predicted as spam

Feed API response codes

Code	Status	Description
200	OK	The request was successful and all data has been delivered
206	Partial content	The request was successful, but only a portion of the data was returned. The request exceeded 10M results or the 1-hour evaluation window. Repeat the same request with the same sessionID to receive the next batch of data until you receive an HTTP 200 response
400	Bad request	The request is malformed
403	Forbidden	Missing or invalid API credentials
404	Not found	The requested resource (such as a sessionID) doesn't exist
406	Not acceptable	The specified Accept header value isn't supported. Only application/x-ndjson and text/csv are accepted
422	Unprocessable entity	The request is syntactically valid but violates semantic or domain-specific rules (for example, invalid query parameter values)

Feed API examples

Basic session polling:

# Start a new session
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySOC'

# Resume the session (returns data since last request)
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySOC'

Time window filtering:

# Get data from a specific time range
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?after=2025-01-06T10:00:00Z&before=2025-01-06T11:00:00Z'

IP filtering:

# Filter for a specific IP address
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?ip=192.0.2.1&sessionID=mySOC'

CSV format:

# Request CSV format with headers
curl -H 'Accept: text/csv' -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?headers=1&sessionID=mySOC'

# Request CSV format without headers
curl -H 'Accept: text/csv' -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySOC'

Top highest-risk IPs:

# Get top 10 highest-risk IPs (sorted by all_threats_combined_percent)
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?top=10&sessionID=mySOC'

Handling large result sets:

# If you receive HTTP 206, repeat the request to get the next batch
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySOC'
# Repeat until you receive HTTP 200

Delete a session:

# Clear the saved offset and start fresh
curl -X DELETE -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/feed/iprisk/?sessionID=mySOC'

Real-time Download API

The Real-time Download API provides access to historical IP Risk data through temporary Amazon Web Services (AWS) S3 file links. Files are organized by hour and available for 90 days.

Base URL

https://api.domaintools.com/v1/download/iprisk/

Download API parameters

Type: Integer

Valid values: Positive integer

Description: Limits the number of files returned in the response, starting from the most recent. Use to control payload size or test specific cases.

Example: limit=10

Required: No

Type: Integer

Valid values: Non-negative integer (0, 1, 2, ...)

Description: Selects which page of results to return. Pages begin at 0 with the latest results. Use with limit and prefix to control results. The server returns an HTTP 404 (No data to download.) message when the page request exceeds the last page of results.

Example: page=3

Required: No

Type: String

Valid values: Date/time prefix matching the feed's filename format

Description: Filters results by date using the file prefix. Use with page and limit to control results. Filename prefixes vary by feed. For example, files for this feed begin with the date in YYYYMMDD format.

Example: prefix=20250624

Required: No

Download API response structure

The API returns a JSON response containing an array of downloadable files. Each file entry includes:

download_name (string): The feed identifier

files (array): List of downloadable file entries

Each file object contains:

• name (string): Path and filename of the downloadable file
• last_modified (string): Timestamp of last modification in ISO 8601 UTC format
• etag (string): ETag (hash) used to verify file identity and versioning
• size (integer): File size in bytes
• url (string): Temporary signed URL to download the file from AWS

Download API response codes

Code	Status	Description
200	OK	The request was successful
400	Bad request	The request is malformed
401	Unauthorized	Missing or invalid API credentials
403	Forbidden	Missing or invalid API credentials
404	Not found	No data to download
422	Unprocessable entity	The request is syntactically valid but violates semantic or domain-specific rules (for example, invalid query parameter values)

Download API file naming

Files follow this naming pattern:

iprisk/YYYY-MM-DD/iprisk-YYYYMMDD.HH00-HH00.json.gz
iprisk/YYYY-MM-DD/iprisk-YYYYMMDD.HH00-HH00.json.gz.sha256

The system produces two files each hour:

• A gzipped JSON data file
• A SHA-256 checksum file for verification

Download API file contents

When uncompressed, the *.json.gz file contains JSON data in the same format as the Feed API response (NDJSON with timestamp and all IP risk fields).

Download API examples

List available files:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/iprisk/?limit=10'

Download and verify a file:

# Get file list
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/iprisk/?limit=2' > files.json

# Extract URLs (select by file extension to avoid index fragility)
DATA_URL=$(jq -r '.response.files[] | select(.name | endswith(".json.gz")) | .url' files.json)
CHECKSUM_URL=$(jq -r '.response.files[] | select(.name | endswith(".sha256")) | .url' files.json)

# Download files
curl -o iprisk.json.gz "$DATA_URL"
curl -o iprisk.json.gz.sha256 "$CHECKSUM_URL"

# Verify checksum
sha256sum -c iprisk.json.gz.sha256

# Decompress and view
gunzip iprisk.json.gz
head iprisk.json

Batch download multiple files:

# Download all files from the last 24 hours
for url in $(curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/iprisk/?limit=24' | \
  jq -r '.response.files[].url' | grep '\.json\.gz$'); do
  curl -O "$url"
done

Daily Download API

The Daily Download API provides access to IP Risk data through temporary AWS S3 file links. The feed is updated daily with risk intelligence for all IPs hosting domains.

Base URL

https://api.domaintools.com/v1/download/daily_ip_risk/

Daily Download parameters

The Daily Download API supports standard download parameters. Authentication parameters (api_username, api_key, signature, timestamp) are covered in Authentication.

Type: Integer

Valid values: Positive integer

Description: Limits the number of files returned in the response, starting from the most recent. Use to control payload size or test specific cases.

Example: limit=10

Required: No

Type: Integer

Valid values: Non-negative integer (0, 1, 2, ...)

Description: Selects which page of results to return. Pages begin at 0 with the latest results. Use with limit and prefix to control results. The server returns an HTTP 404 (No data to download.) message when the page request exceeds the last page of results.

Example: page=3

Required: No

Type: String

Valid values: Date/time prefix matching the feed's filename format

Description: Filters results by date using the file prefix. Use with page and limit to control results. Filename prefixes vary by feed. For example, files for this feed begin with the date in YYYYMMDD format.

Example: prefix=20250624

Required: No

Daily Download response structure

The API returns a JSON response with signed URLs for downloadable files:

download_name (string): The feed identifier (daily_ip_risk)

files (array): List of downloadable file entries

Each file object contains:

• name (string): path
• last_modified (string): Last modified date in ISO 8601 format
• etag (string): Entity tag (hash of the file)
• size (integer): Size in bytes
• url (string): Signed AWS download URL (valid for 12 hours)

Daily Download response codes

200: OK - The request was successful

400: Bad request

401: Unauthorized

403: Forbidden

404: No data to download

Daily Download file naming

The feed provides a single file. The name field returned by the API is:

daily_ip_risk/ip_fulllist.gz

This file contains all IP addresses actively hosting domains, updated daily.

File contents

The TSV file contains the following fields (tab-separated, one IP per line):

IP and infrastructure fields

Field	Description
ip	IP address that has www/apex domains pointing to it
asn	The IP's ASN (autonomous system number, routing provider)
organization	Organization associated with IP range based on geo data
city	City based on IP geo data
country	Country based on IP geo data
latitude	Geographic coordinates
longitude	Geographic coordinates

Domain activity metrics

Field	Description
pdns_resolutions	Number of domains seen on the IP in the last 24 hours
bad_pdns_resolutions	Number of confirmed bad domains seen on the IP in the last 24 hours
total_domains	Total number of domains seen on this IP in the last 7 days
zerolist_domains	Number of zero-listed domains seen on this IP
zerolist_ip	Indicates if this IP is zero-listed (e.g., CDN)

Threat intelligence metrics

Field	Description
third_party_threats	Number of domains on IP confirmed with any threat on a third-party intel feed
all_threats_combined_count	Number of confirmed or predicted domains on third-party intel feed or threat profile
all_threats_combined_percent	Percentage of domains that are confirmed or predicted malicious
all_threats_percent	Percentage of domains including all threat types

Combined threat predictions

Field	Description
combined_phishing_percent	Percentage of domains confirmed or predicted as phishing
combined_malware_percent	Percentage of domains confirmed or predicted as malware
combined_spam_percent	Percentage of domains confirmed or predicted as spam

Confirmed malicious threats

Field	Description
malicious_phishing	Number of malicious phishing domains on third-party intel feeds
malicious_malware	Number of malicious malware domains on third-party intel feeds
malicious_spam	Number of malicious spam domains on third-party intel feeds
percent_phishing	Percentage of domains that are confirmed phishing
percent_malware	Percentage of domains that are confirmed malware
percent_spam	Percentage of domains that are confirmed spam

Compromised threats

Field	Description
compromised_phishing	Number of compromised phishing domains on third-party intel feeds
compromised_malware	Number of compromised malware domains on third-party intel feeds
compromised_spam	Number of compromised spam domains on third-party intel feeds

Predicted threats

Field	Description
predicted_phishing	Number of domains (with no confirmed threat) predicted as phishing
predicted_malware	Number of domains (with no confirmed threat) predicted as malware
predicted_spam	Number of domains (with no confirmed threat) predicted as spam

Daily Download examples

List available files:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/daily_ip_risk/'

Download the file:

# Get the file list
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/daily_ip_risk/' > files.json

# Download the file
curl -o ip_fulllist.gz "$(jq -r '.response.files[0].url' files.json)"

# Decompress and view
gunzip ip_fulllist.gz
head ip_fulllist

Parse TSV data:

# View first 10 IPs: ip, latitude, longitude, pdns_resolutions, bad_pdns_resolutions (cols 1,6,7,8,9)
gunzip -c ip_fulllist.gz | head -10 | cut -f1,6,7,8,9

Related resources

• IP Hotlist feed
• Domain Risk feed
• Domain Hotlist feed