Real-Time Threat Intelligence Feeds (Technology Preview)¶

Introduction¶

Real-Time Threat Intelligence Feeds provide data on the different stages of the domain lifecycle: from first-observed in the wild, to newly re-activated after a period of quiet. Access current feed data in real-time or retrieve historical feed data through separate APIs. Some feeds also offer data for DNS firewalls in Response Policy Zone (RPZ) format.

Summary of Common Features¶

Stable, static URL endpoint: fetch the latest feed data with the same query parameters
Configurable polling frequency: fetch as often as you like, up to every 60 seconds
5-day data retention time for Feed API: current feed data is easily accessible
Access historical data via Download API: never lose out on data missed accidentally
Session management: Pick up where you left off, without missing or duplicating events
Domain pattern filtering: Use the domain query parameter to filter a feed based on domain name patterns that are important to you, without extra downstream data processing

Summary of Available Feeds¶

More feeds are being made available; inquire with enterprisesupport@domaintools.com to learn more.

Newly Active Domains (NAD): Apex-level domains (e.g. example.com but not www.example.com) that we observe based on the latest lifecycle of the domain. A domain may be seen either for the first time ever, or again after at least 10 days of inactivity (no observed resolutions in DNS). Populated with our global passive DNS (pDNS) sensor network. api.domaintools.com/v1/{feed,download}/nad
Newly Observed Domains (NOD): Apex-level domains (e.g. example.com but not www.example.com) that we observe for the first time, and have not observed previously with our global DNS sensor network. api.domaintools.com/v1/{feed,download}/nod
Newly Observed Hostnames (NOH): Hostname resolutions that we observe for the first time with our global DNS sensor network. api.domaintools.com/v1/{feed,download}/noh
Domain Discovery: New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties. api.domaintools.com/v1/{feed,download}/domaindiscovery
Parsed Domain RDAP Feed: Changes to global domain registration information, populated by the Registration Data Access Protocol (RDAP). Compliments the 5-Minute WHOIS Feed as registries and registrars switch from Whois to RDAP. api.domaintools.com/v1/{feed,download}/domainrdap

Summary of Access Methods¶

Real-time Feed API: Returns results based on absolute or relative times. Consult the Feed API Quick Start, authentication, and Feed API sections.
Download API: Our download API returns archives of past results as signed, temporary AWS S3 file links. Consult the Download API Quick Start, authentication, and Download API sections.
Response Policy Zone (RPZ): Feed contents delivered as real-time Response Policy Zones that populate DNS firewalls. Consult the Response Policy Zone section, below. The following feeds are currently available by RPZ: Newly Active Domains, Newly Observed Domains.

Getting Started¶

Authentication Quick Start¶

Authenticate with either API Header or API Key and Secret methods. Here is an example of API header authentication using curl, a sessionID called mySIEM, and a lookback (after) time of 600 seconds:

curl -H 'X-Api-Key: MY_API_KEY' 'https://api.domaintools.com/v1/feed/nod/?sessionID=mySIEM&after=-600'

To authenticate with the API Key and Secret method, provide your api_username and api_key query string parameters. Here is a curl example, with the same sessionID (mySIEM) and 600 second lookback (after) time:

curl 'https://api.domaintools.com/v1/feed/nod/?api_key=MY_API_KEY&api_username=MY_API_USERNAME&sessionID=mySIEM&after=-600'

Feed API Quick Start¶

The Feed API standard access pattern is to periodically request the most recent feed data, as often as every 60 seconds. Specify the range of data you receive in one of two ways:

With sessionID: Make a call and provide a new sessionID parameter of your choosing. The API will return the last hour of data by default.
- Each subsequent call to the API using your sessionID will return all data since the last.
- Any single request returns a maximum of 10M results. Requests that exceed 10M results will return a HTTP 206 response code; repeat the same request (with the same sessionID) to receive the next tranche of data until receiving a HTTP 200 response code.
- This session ID can be deleted to clear the saved offset by using an HTTP DELETE call.
Or, specify the time range in one of two ways:
- Either an after=-60 query parameter, where (in this example) -60 indicates the previous 60 seconds.
- Or after and before query parameters for a time range, with each parameter accepting an ISO-8601 UTC formatted timestamp (a UTC date and time of the format YYYY-MM-DDThh:mm:ssZ)

Optional details:

The default response format is JSON-lines (JSONL)
- Optionally enable CSV format response option by setting a header Accept: text/csv, and optionally adding &headers=1 to the query parameters to include column headers as the first line in the response.
Optionally limit the response payload for testing by adding a top=N query parameter, where N is the number of results to return.
Optionally add server-side domain filtering using the domain query parameter to return a specific domain or domains where a specific substring is present.
- Exact match example: domain=example.com
- Partial match example: domain=*example*
- Sometimes, the asterisk will need to be urlencoded to %2A depending on the method used to query. In a curl command, you can use an asterisk (*) as long as you single-quote the URL.

Here is an example curl command to retrieve the NOD list with a custom sessionID:

curl 'https://api.domaintools.com/v1/feed/nod/?api_key=MY_API_KEY&api_username=MY_API_USERNAME&sessionID=mySIEM'

Download API Quick Start¶

The Download API returns short-lived, signed URLs for two files containing historical feed data that change each hour, where {feed_short_name} is one of: nod, nad, noh, domaindiscovery, domainrdap:

A data file: {feed_short_name}/{YYYY-MM-DD}/{feed_short_name}-{YYYYMMDD}.{starthour:HH00}-{endhour:HH00}.json.gz
A checksum file: {feed_short_name}/{YYYY-MM-DD}/{feed_short_name}-{YYYYMMDD}.{starthour:HH00}-{endhour:HH00}.json.gz.sha256

Here is an example curl command to retrieve the list of NOD files available to download:

curl 'https://api.domaintools.com/v1/download/nod?api_key=MY_API_KEY&api_username=MY_API_USERNAME'

Requirements¶

You will require a license to one or more DomainTools feeds, and API credentials. Your required API credentials will vary with your authentication method, detailed below.

Obtain your API credentials from your group’s API administrator. API administrators can manage their API keys at research.domaintools.com, selecting the drop-down account menu and choosing API admin.

Authentication¶

Authentication is available via HTTP header, or API key and secret. If you need to obtain your API key or are unsure about your authentication options, please contact enterprisesupport@domaintools.com.

API Key (Header) Authentication¶

Authenticate your requests by including the API key in the header of each HTTP request. The API key serves as a unique identifier and is used to authenticate your requests.

Required API Key Authentication Parameters¶

Required Parameters	Value
`X-Api-Key`	MY_API_KEY

Example Request with API Key Authentication¶

curl -H 'X-Api-Key: MY_API_KEY' 'https://api.domaintools.com/v1/feed/nod/?after=-60

API Key and Secret Authentication¶

This is the easiest and most insecure authentication scheme to implement: each request contains the full API key and API secret. DomainTools typically recommends using API Header authentication instead. If you are unsure about your authentication options, please contact enterprisesupport@domaintools.com.

Required Parameters for API Key and Secret¶

Required Parameters	Value
`api_username`	YOUR_API_USERNAME
`api_key`	YOUR_API_KEY

Example Request with API Key and Secret¶

https://api.domaintools.com/v1/feed/nod/?after=-60&api_username=example&api_key=xxxxxx

Response Policy Zone (RPZ) Authentication¶

RPZ authentication is detailed in the Response Policy Zone section, below.

Feed API¶

Feed API Base URL¶

api.domaintools.com/v1/feed/

Feed API Endpoints¶

Feed	API Feed Endpoint
Newly Active Domains	`nad`
Newly Observed Domains	`nod`
Newly Observed Hostnames	`noh`
Domain RDAP	`domainrdap`
Domain Discovery	`domaindiscovery`

Feed API Response Codes¶

Code	Description
`200`	OK: The request was successful.
`206`	Partial content: The request was successful, but only a portion of the data was returned.

If an API call returns a HTTP 206 response, continue submitting the same request (with the same sessionID) until the API returns a HTTP 200, signalling that all the data for the request has been delivered.

Feed API Error Handling¶

Code	Error Description
`400`	Malformed request
`401`	Unauthorized
`404`	`sessionID` does not exist
`422`	Invalid header query parameter

Feed API Header Options¶

Key	Value	Description
`Accept`	`application/x-ndjson`	Get results in JSON Lines format.
`Accept`	`text/csv`	Get results in CSV format. Not available with the Download API, or in the `domainrdap` Feed API endpoint. Optionally adding `&headers=1` to the query parameters will include column headers as the first line in the response.

Feed API Common GET Request Parameters¶

Name	Type	Valid Values	Description	Example	Required
`after`	integer	Negative integer, range 60-432,000	The start of the query window in seconds, relative to the current time, inclusive.	`after=-60`	Required if `before` or `sessionID` not provided.
`after`	string	ISO 8601 datetime string in UTC form	The start of the query window, inclusive.	`after=2024-10-16T10:20:00Z`	Required if `before` or `sessionID` not provided.
`before`	integer	-60 to -432,000	The end of the query window in seconds, relative to the current time, inclusive.	`before=-120`	Required if `after` or `sessionID` not provided.
`before`	string	ISO 8601 datetime string in UTC form	The end of the query window.	`before=2024-10-16T10:20:00Z`	Required if `after` or `sessionID` not provided.
`domain`	string	Domain character set restricted by the DNS specification (Letters, Digits, Hyphens). International characters should be specified in punycode. A trailing dot is acceptable. Multiple `domain` filters are accepted in a request.	Filter for an exact domain or a domain substring by prefixing or suffixing your string with ``. Multiple parameters are supported. The URL-encoded version of `` (`%2A`) may be required.	`domain=apple&domain=microsoft`	No
`fromBeginning`	boolean	`true`, `false`	Functions with new Session IDs to return the first hour (rather than the last). Returns an error if Session ID already exists.	`fromBeginning=true`	No
`headers`	boolean	`0`, `1`	Adds a header to the first line of response when `text/csv` is set in header parameters.	`headers=1`	No
`sessionID`	string	1-64 alphanumeric characters (`[a-zA-Z0-9-]+`).	A string that serves as a unique identifier for the session, used for resuming data retrieval from the last point.	`sessionID=mySIEM`	Required to continue where you left off.
`top`	integer	Positive integer, 1-1,000,000,000.	Limits the number of results in the response payload. Primarily for testing.	`top=10`	No

Feed API Common DELETE Request Parameters¶

Name	Type	Valid Values	Description	Examples	Required
`sessionID`	string	1-64 alphanumeric characters (`[a-zA-Z0-9-]+`).	A string that serves as a unique identifier for the session, used for resuming data retrieval from the last point.	`sessionID=mySIEM`	No

Feed API Query Examples¶

Use curl and header authentication to retrieve the last 60 seconds of Newly Observed Domains:

curl -H 'X-Api-Key: MY_API_KEY' 'https://api.domaintools.com/v1/feed/nod/?after=-60'

Use curl and header authentication to retrieve the last 4 hours of Newly Observed Domains that contain the keyword bank:

curl -H 'X-Api-Key: MY_API_KEY' 'https://api.domaintools.com/v1/feed/nod/?after=-14400&domain=*bank*'

Feed API Response Structure and Example¶

Feed API: NAD, NOD, NOH, Domain Discovery¶

Responses are returned in JSON-lines (JSONL), with each response containing one domain entry per line. Each entry contains a timestamp in ISO 8601 UTC form, and the domain.

{"timestamp":"2024-11-15T16:14:39Z","domain":"dzqpql.bid"}
{"timestamp":"2024-11-15T16:14:38Z","domain":"atahavre.nl"}
{"timestamp":"2024-11-15T16:14:36Z","domain":"windlustweg8a.nl"}
{"timestamp":"2024-11-15T16:14:35Z","domain":"linked2sun.de"}
{"timestamp":"2024-11-15T16:14:35Z","domain":"wzsolutionscanada.com"}
{"timestamp":"2024-11-15T16:14:34Z","domain":"pokerdom-zks42.buzz"}
{"timestamp":"2024-11-15T16:14:34Z","domain":"antalyakongre.com.tr"}
{"timestamp":"2024-11-15T16:14:34Z","domain":"bioklass.com"}
{"timestamp":"2024-11-15T16:14:34Z","domain":"yourlifebenefitsplus.com"}
{"timestamp":"2024-11-15T16:14:33Z","domain":"zutthj.info"}

Note that the NOH feed contains full hostnames.

Domain RDAP¶

Responses are returned in JSON-lines (JSONL), with each response containing one domain entry per line.

Domain RDAP records for a given domain may be provided by a domain registry, registrar, or both. Domain registries maintain authoritative information about one or more top-level domains (e.g., .com), while domain registrars manage apex domains (e.g., domaintools.com). When domain information is present from both the registry and registrar, this API presents a record containing both sets of results, as well the original raw JSON record, from both the registry and registrar.

Each response begins with either the raw registrar record, the raw registry record, or when useful information is present in both records, the response will contain both the registrar and registry record.

The parsed record then follows the raw record.

In the following example using domaintools.com, both a registry and registrar record are present (note source_type). The raw records, as well as the content of the parsed record, are removed for brevity:

{
    "timestamp": "2024-11-15T00:00:19Z",
    "domain": "domaintools.com",
    "raw_record": {
        "first_request_timestamp": "2024-11-15T00:00:14Z",
        "requests": [
            {
                "data": "RAW REGISTRY RECORD",
                "source_type": "registry",
                "timestamp": "2024-11-15T00:00:14Z",
                "url": "https://rdap.verisign.com/com/v1/domain/domaintools.com"
            },
            {
                "data": "RAW REGISTRAR RECORD",
                "source_type": "registrar",
                "timestamp": "2024-11-15T00:00:16Z",
                "url": "https://enom.rdap.tucows.com/domain/DOMAINTOOLS.COM"
            }
        ]
    },
    "parsed_record": {
        "parsed_fields": {PARSED FIELDS},
        "registrar_request_url": "https://enom.rdap.tucows.com/domain/DOMAINTOOLS.COM",
        "registry_request_url": "https://rdap.verisign.com/com/v1/domain/domaintools.com"
    }
}

Download API¶

The download API returns 90 days of historical results in the form of hourly signed, temporary AWS S3 files. The API requires a 2-step process, the first of which lists the files available for download, and the second is to then retrieve the desired file from the signed URL. The hourly files are gzip-compressed and must be decompressed before parsing into JSON format.

Download API Base URL¶

api.domaintools.com/v1/download/

Download API Endpoints¶

Feed	API Download Route
Newly Active Domains	`nad`
Newly Observed Domains	`nod`
Newly Observed Hostnames	`noh`
Domain RDAP	`domainrdap`
Domain Discovery	`domaindiscovery`

E.g., api.domaintools.com/v1/download/nad

Download API Query Examples¶

Get the latest signed download URL from Newly Observed Domains using curl:

curl "https://api.domaintools.com/v1/download/nod?api_key=MY_API_KEY&api_username=MY_API_USERNAME"

Download API Common Response Parameters¶

Name	Type	Description
`download_name`	string	Name of the feed.
`etag`	string	Entity tag (a hash of the object).
`last_modified`	string	Last modified date of the file in ISO 8601 format.
`size`	integer	Size in kilobytes (KB)
`url`	string	Signed AWS CloudFront download URL; consult note below.

The Download API returns short-lived, signed URLs for two files containing historical feed data that change each hour, where {feed_short_name} is one of: nod, nad, noh, domainrdap, domaindiscovery:

A data file: {feed_short_name}/{YYYY-MM-DD}/{feed_short_name}-{YYYYMMDD}.{starthour:HH00}-{endhour:HH00}.json.gz
A checksum file: {feed_short_name}/{YYYY-MM-DD}/{feed_short_name}-{YYYYMMDD}.{starthour:HH00}-{endhour:HH00}.json.gz.sha256

Download API Response Structure and Example¶

Download API: NAD, NOD, NOH, Domain Discovery¶

API Response¶

Note that returned file URLs are in pairs: a data file (ending in .json.gz) and a checksum file (ending in .json.gz.sha256).

{
    "response": {
        "download_name": "nod",
        "files": [
            {
                "name": "nod\/2024-11-19\/nod-20241119.1900-2000.json.gz.sha256",
                "last_modified": "2024-11-19T20:00:11+00:00",
                "etag": "\"67a6d9b0973b2d31ffb779dc8f7f8cfa\"",
                "size": "64",
                "url": "https:\/\/d2mzrdiuqyylox.cloudfront.net\/nod\/2024-11-19\/nod-20241119.1900-2000.json.gz.sha256?Expires=1732091785&Signature=DTCwCj0bT5fHtjdEJ8-Ork0d7BInzOqaH7w6ptfHjPcj95KvsHer-b8pz0IwVsaRAEKwjcq7j~LENRksj1voen-0C3~FAFjltcS9~5FsFVYABa-ulY7YBWNHI-65XcJHyCSqRsPPiUHM7uT-QC9ymIje40DGhiGze~mEqE-64f0JtSurpGoFo2xncMxh7FmQ6w~Du8M3oJkbHQB2J8muRKeEVg3KLcjgpk51Cxh2DwLrfbfLtMkq1GqZlHaWRPNpqBN5asMeGlD0YBTqW2mynA4qplgYbXk8iNF3IePjXU3Uuk-F7~1IAp~rKJCYGBNppDeA3wC~-u7Pd1rMwFBjNg__&Key-Pair-Id=KJPH4C4RWZJ32"
            },
            {
                "name": "nod\/2024-11-19\/nod-20241119.1900-2000.json.gz",
                "last_modified": "2024-11-19T20:00:11+00:00",
                "etag": "\"076e68039e8851422257050ca309fcf6\"",
                "size": "119026",
                "url": "https:\/\/d2mzrdiuqyylox.cloudfront.net\/nod\/2024-11-19\/nod-20241119.1900-2000.json.gz?Expires=1732091785&Signature=O-5sRnlbsdolxTYvQF45BT4lbGYSIPTXgC9EwPOt2XrZzfje~v9ssvWPMbGajka-ImL-Uk7E8z2Kn9j3G2tse19q7F870TqjEzCy1cmgvbHUrdwnkDnGDKhg80xgZwZ0zjKpTDVDk5VbYFOPhjdH8DzuHCRZsueduHc0blRj~gteIYZAdPeiZUArsIzk6Y~NllcciCNPEOz-W3ME1nlpoNjmKYeQw9UUtahWbgl7KcGkUcEUP3o0nSpfn5JmI-SgZ52SXLjSkEtofTwTcK81uZAG3i67NN6S51huzYLfZHQBJlk2GZdnR1je5zh1oIhifDrjcb1DwsQiexGE3jS6Jg__&Key-Pair-Id=KJPH4C4RWZJ32"
            }
        ]
    }
}

File Contents¶

The *.json.gz.sha256 file is a checksum containing a SHA-256 hash value used to verify the integrity of the downloaded file.

The *.json.gz file, uncompressed to a jsonl file containing the same information as the Feed API.

Download API: Domain RDAP¶

API Response¶

Note that returned file URLs are in pairs: a data file (ending in .json.gz) and a checksum file (ending in .json.gz.sha256).

{
    "response": {
        "download_name": "domainrdap",
        "files": [
            {
                "name": "domainrdap/2024-11-15/domainrdap-20241115.1000-1100.json.gz.sha256",
                "last_modified": "2024-11-15T11:01:19+00:00",
                "etag": "\"3569297fc0b1421202c59534ad696219\"",
                "size": "64",
                "url": "https://d2mzrdiuqyylox.cloudfront.net/domainrdap/2024-11-15/domainrdap-20241115.1000-1100.json.gz.sha256?Expires=1731713569&Signature=PtLl0~vIeraum4J9TbGtoV9W0bJdqLSdv-kSjdUiqQd7NNbJEnm9ITN-BSr7v4PNTt0T~DQHKqzJZ4RQKhhLemxMBPxTaGfbyad6eiytIMqBhv0et6IBSnMs87Yt8w2wChcIdGIWtCH-7Bm6kJ9UhuQdby9EiAkbSnpxqqFfZd3voxSuaHsyo11H2DXi6jlCthzrPfHjS77WpIGgMuNduepOO4Pu50iN90in0fJnIJcDBSWL0jE8hG1FveGW4ClVkdJiOJdcw5kVFLZPBKqthI3EtK2mf4RuipF0BEYsgjgH~LJF1mBVE9xcBsaf7S7j~nAw6ZfAhZDzS-sHpEl~Yg__&Key-Pair-Id=KJPH4C4RWZJ32"
            },
            {
                "name": "domainrdap/2024-11-15/domainrdap-20241115.1000-1100.json.gz",
                "last_modified": "2024-11-15T11:01:17+00:00",
                "etag": "\"3954755f648bbd5e81cd67f54dca539b-31\"",
                "size": "160905434",
                "url": "https://d2mzrdiuqyylox.cloudfront.net/domainrdap/2024-11-15/domainrdap-20241115.1000-1100.json.gz?Expires=1731713569&Signature=H0jUZA~TsYlQggspUDiL0mchnvboZppSb4cJp5~nAjTX6FddzxcH4VMqSrOkHGJwR-VMdTRB3f8YjmzHDVy6OZ0yi-q5NyLQLfJq0v45V0-JfoQ-z8d3DC0rcUHNH2yDnuZYOGxPr-uCUbYtN1~yDSPmA7H49rHszx4Wp1DGKtMYqdTGbpk-B~Fwcj9BU92oVan2uUnCOiotuGI0wHE7bmHdsaZh9F3R~tdOoNLPRp1LocrrNfSbPmkqG71mFa8Q9PNeH3IuoH77CbUeL-ePgKDhYmcNd4eW3ImFt8nws3IcRcwVey1~Dg15zfyteULl6mOCHXHIf1IP~1iCqyfh4w__&Key-Pair-Id=KJPH4C4RWZJ32"
            }
        ]
    }
}

File Contents¶

The *.json.gz.sha256 file is a checksum containing a SHA-256 hash value used to verify the integrity of the downloaded file.

The *.json.gz file uncompressed to a JSON-L file containing the same information as the Feed API.

Response Policy Zone (RPZ)¶

RPZ delivery is available for Newly Active Domains (NAD) and Newly Observed Domains (NOD).

Hotlists are delivered over DNS Zone Transfer from DomainTools RPZ providers using AXFR, IXFR, and DNS Notify.

The DNS resolver using our RPZ feed will respond with an NXDOMAIN (“no such domain”) status code for queries for matching domains in the Threat Intelligence Feed.

RPZ Access Configuration¶

RPZ Zone Names¶

Zone name labels are constructed (left to right) from a time period, followed by a list name, followed by .rpz.domaintools.com:

[interval].[list].rpz.domaintools.com

Available time intervals: 10m, 30m, 1h, 3h, 12h.

Available feeds: NAD, NOD.

For example, the 1 hour NOD list:

1h.nod.rpz.domaintools.com

RPZ Provider Allowlist¶

Before attempting to connect to our RPZ provider, please be sure to provide two sets of IP addresses to DomainTools at enterprisesupport@domaintools.com:

The IP address(es) from which you will connect to the RPZ provider server;
The IP address(es) to which you would like DNS Notify messages to be sent.

These two sets of addresses are typically the same.

You will also need to add rules to your firewall’s access control list(s) for DomainTools hosts to send UDP packets to port 53 of your DNS server, so that it can receive the DNS NOTIFY packets for updates.

RPZ Provider Server Addresses¶

Primary Server: IPv4: 104.244.14.88

Fallback Server: IPv4: 104.244.14.89

RPZ TSIG Information¶

TSIG key: Provided by enterprisesupport@domaintools.com
TSIG key algorithm: hmac-sha512
TSIG key name: Provided by enterprisesupport@domaintools.com

Recommendation: Local RPZ Allowlist Zone¶

We recommend that customers maintain an allowlist zone for instances when a customer has more, specific information about a domain than DomainTools. Contact enterprisesupport@domaintools.com until this recommendation is fully documented in Q1 2025.

RPZ Response Format¶

Each hotlist is formatted in accordance with the draft specification for DNS Response Policy Zones. All domain entries are listed with NXDOMAIN outcomes by default (CNAME .). Each domain entry contains both apex and wildcard *. entries (i.e., two records per domain).

For example:

$ORIGIN RPZ.EXAMPLE.ORG.
example.com                 CNAME   .
*.example.com               CNAME   .

RPZ Troubleshooting¶

The DNS resolver using our RPZ feed will respond with an NXDOMAIN (“no such domain”) status code for queries for matching domains in the RPZ feed. The NXDOMAIN response will include an SOA record in the ADDITIONAL section of the DNS response (and no ANSWER). This SOA record may be used to troubleshoot the RPZ feed. In addition, see your RPZ related debugging logs for your DNS resolver.

This SOA will identify that it came from the RPZ. For example, the following label tells you what RPZ feed was used and the SOA RNAME indicates the primary DNS server (rpz-ns1.domaintools.com) that hosts this RPZ zone:

;; ADDITIONAL SECTION:
3h.nod.rpz.domaintools.com. 86400 IN SOA rpz-ns1.domaintools.com. noc.domaintools.com. 36625313 600 300 86400 86400

Our RPZ Threat Intelligence Feeds also have a testing domain entry and its corresponding wildcard which may be used to verify the RPZ feed is loaded and working. You may do a DNS lookup, like with dig, for test.rpz.domaintools.test and it should respond with the NXDOMAIN and the ADDITIONAL section SOA record indicating its originating RPZ feed. If the ADDITIONAL section SOA record response does not have the domainhostlist feed name, then it did not come from the RPZ.

Python Wrapper Methods¶

Instructions for using the Python Wrapper with Real-time Threat Intelligence Feeds are under construction. In the meantime, please consult our GitHub documentation at https://github.com/DomainTools/python_api. Temporarily, please note that calls should include always_sign_api_key=False to disable HMAC.