Skip to content

IP Risk

The IP Risk feed provides comprehensive risk intelligence for all IP addresses known to be hosting domains, regardless of risk level. This feed includes extensive enrichment data such as threat scores, geographic information, ASN details, and domain hosting metrics.

Overview

This feed captures all IP addresses actively hosting one or more domains, providing detailed risk assessment and enrichment data for each IP. The feed includes both confirmed threats from third-party intelligence feeds and predictive risk scores based on DomainTools machine learning models.

Use this feed when you need to:

  • Monitor IP addresses hosting domains for threat intelligence
  • Analyze hosting infrastructure risk patterns
  • Correlate IP-based threats with domain activity
  • Build IP reputation databases
  • Detect suspicious hosting patterns
  • Enrich security alerts with IP risk context
  • Track threat actor infrastructure

Inclusion criteria: IP is actively hosting one or more domains (regardless of risk level).

Format: Gzip-compressed tab-separated (TSV) text file

Size: 15-20 million IP addresses, ~200MB compressed

Requirements

You need the following to access Threat Feeds:

  • An Enterprise Account with DomainTools, accessible at https://account.domaintools.com/my-account/
  • Authentication credentials (API key for header authentication, or API username and key for HMAC or open key authentication)
  • A way to interact with a REST API delivered through AWS CloudFront

Obtain your API credentials from your group's API administrator. API administrators can manage their API keys at https://research.domaintools.com, selecting the drop-down account menu and choosing API admin.

For assistance, contact enterprisesupport@domaintools.com.

Authentication

You can authenticate to the IP Risk API using three different methods. Choose the method that best fits your security requirements and technical environment.

API key (header) authentication

Authenticate your requests by including the API key in the header of each HTTP request. The API key serves as a unique identifier and authenticates your requests.

Required header:

X-Api-Key: YOUR_API_KEY

Example:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/daily_ip_risk/'

HMAC authentication

HMAC authentication is a secure alternative to API key-based methods. It requires signing each request with a SHA1 HMAC digest derived from your API secret, providing integrity and authenticity without exposing credentials directly in the request.

This method is recommended for systems where authentication credentials shouldn't be stored in plain text or included directly in request URLs.

DomainTools supports MD5, SHA1, and SHA256 for the hashing algorithm.

Required query parameters:

  • api_username: Your DomainTools API username
  • signature: HMAC-SHA1 signature of api_username + timestamp + uri_path
  • timestamp: Current UTC timestamp in ISO 8601 format (for example, 2025-06-01T15:30:00Z)

Constructing the HMAC signature:

signature = HMAC-SHA1(api_key, api_username + timestamp + uri_path)

URI path must include API version

The uri_path parameter must include the API version prefix. For example, use /v1/feed/nod/ not /feed/nod/.

Example Python signing function:

import hmac
import hashlib

def sign(api_username, api_key, timestamp, uri):
    params = f"{api_username}{timestamp}{uri}"
    return hmac.new(api_key.encode("utf-8"), params.encode("utf-8"), hashlib.sha1).hexdigest()

HMAC timestamp requirements

The timestamp parameter in HMAC authentication must be current (within a few minutes of the server time). The timestamps shown in these examples are static for demonstration purposes. In production, generate a fresh timestamp for each request using your system's current time in ISO 8601 UTC format (e.g., 2025-01-06T15:30:00Z).

Example:

curl 'https://api.domaintools.com/v1/download/daily_ip_risk/?api_username=YOUR_USERNAME&signature=HMAC_SIGNATURE&timestamp=2025-01-06T15:30:00Z'

Open key authentication

This is the easiest authentication scheme to implement, but also the least secure. Each request contains the full API key and API username as query parameters. We recommend using API key header authentication or HMAC authentication instead.

If you're unsure about your authentication options, contact enterprisesupport@domaintools.com.

Required query parameters:

  • api_username: Your API username
  • api_key: Your API key

Example:

curl 'https://api.domaintools.com/v1/download/daily_ip_risk/?api_username=YOUR_USERNAME&api_key=YOUR_API_KEY'

Daily Download API

The Daily Download API provides access to IP Risk data through temporary AWS S3 file links. The feed is updated daily with comprehensive risk intelligence for all IPs hosting domains.

Base URL

https://api.domaintools.com/v1/download/daily_ip_risk/

Parameters

The Daily Download API supports standard download parameters:

api_username

Type: string (required for HMAC and open key auth)

Your DomainTools API username

api_key

Type: string (required for open key auth)

Your DomainTools API key

signature

Type: string (required for HMAC auth)

HMAC signature of your request

timestamp

Type: string (required for HMAC auth)

Current timestamp for HMAC authentication in ISO 8601 format

limit

Type: integer (optional)

Limit the list of signed files. Ordering of files is always descending, so the latest files are first.

page

Type: integer (optional)

Select which page of results are returned. Pages begin at 0 with latest results.

Response structure

The API returns a JSON response with signed URLs for downloadable files:

download_name (string): The feed identifier (daily_ip_risk)

files (array): List of downloadable file entries

Each file object contains:

Field Type Description
name string File path
last_modified string Last modified date in ISO 8601 format
etag string Entity tag (hash of the file)
size integer Size in bytes
url string Signed AWS CloudFront download URL (valid for 12 hours)

Response codes

Code Status Description
200 OK The request was successful
400 Bad request Invalid request parameters
401 Unauthorized Missing or invalid authentication
403 Forbidden Insufficient permissions
404 No data to download No files available

File naming

The feed provides a single file:

ip_fulllist.gz

This file contains all IP addresses actively hosting domains, updated daily.

File contents

The TSV file contains the following fields (tab-separated, one IP per line):

IP and infrastructure fields

Field Description
ip IP address that has www/apex domains pointing to it
asn The IP's ASN (autonomous system number, routing provider)
organization Organization associated with IP range based on geo data
city City based on IP geo data
region Region based on IP geo data
country Country based on IP geo data
latitude Geographic coordinates
longitude Geographic coordinates

Domain activity metrics

Field Description
pdns_resolutions Number of domains seen on the IP in the last 24 hours
bad_pdns_resolutions Number of confirmed bad domains seen on the IP in the last 24 hours
total_domains Total number of domains seen on this IP in the last 7 days
zerolist_domains Number of zero-listed domains seen on this IP
zerolist_ip Indicates if this IP is zero-listed (e.g., CDN)

Threat intelligence metrics

Field Description
third_party_threats Number of domains on IP confirmed with any threat on a third-party intel feed
allthreats_combined_count Number of confirmed or predicted domains on third-party intel feed or threat profile
allthreats_combined_percent Percentage of domains that are confirmed or predicted malicious
all_threats_percent Percentage of domains including all threat types

Combined threat predictions

Field Description
malicious_combined_phishing_percent Percentage of domains confirmed or predicted as phishing
combined_malware_percent Percentage of domains confirmed or predicted as malware
combined_spam_percent Percentage of domains confirmed or predicted as spam

Confirmed malicious threats

Field Description
malicious_phishing Number of malicious phishing domains on third-party intel feeds
malicious_malware Number of malicious malware domains on third-party intel feeds
malicious_spam Number of malicious spam domains on third-party intel feeds
percent_phishing Percentage of domains that are confirmed phishing
percent_malware Percentage of domains that are confirmed malware
percent_spam Percentage of domains that are confirmed spam

Compromised threats

Field Description
compromised_phishing Number of compromised phishing domains on third-party intel feeds
compromised_malware Number of compromised malware domains on third-party intel feeds
compromised_spam Number of compromised spam domains on third-party intel feeds

Predicted threats

Field Description
predicted_phishing Number of domains (with no confirmed threat) predicted as phishing
predicted_malware Number of domains (with no confirmed threat) predicted as malware
predicted_spam Number of domains (with no confirmed threat) predicted as spam

Examples

List available files:

curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/daily_ip_risk/'

Download the file:

# Get the file list
curl -H 'X-Api-Key: YOUR_API_KEY' \
  'https://api.domaintools.com/v1/download/daily_ip_risk/' > files.json

# Download the file
curl -o ip_fulllist.gz "$(jq -r '.response.files[0].url' files.json)"

# Decompress and view
gunzip ip_fulllist.gz
head ip_fulllist

Parse TSV data:

# View first 10 IPs with their threat percentages
gunzip -c ip_fulllist.gz | head -10 | cut -f1,6,7,8,9