Skip to content

How to use the DomainTools MCP Server

The DomainTools MCP Server enables Large Language Models (LLMs) to access domain threat information through the Model Context Protocol (MCP).

MCP is an open standard that allows LLM applications to securely connect to external data sources and tools. This integration brings DomainTools' comprehensive domain intelligence directly into your AI-powered workflows, enabling natural language investigation of suspicious domains, infrastructure mapping, and threat analysis.

DomainTools hosts and manages the MCP Server. You connect to it using your own MCP-compatible AI client, such as Claude Code CLI, VS Code with GitHub Copilot, Cline, and Gemini CLI.

The server provides specialized tools spanning Iris Investigate, Farsight DNSDB passive DNS, and domain history data for domain lookups, pivot searches, passive DNS analysis, and historical investigation.

Quick start

Already have an MCP-compatible client and a DomainTools API key? This quick start shows you how to connect Claude Code CLI to the DomainTools MCP Server and run your first query. Full configuration instructions are in the Get started guide.

Set your API key and add the MCP Server to Claude Code CLI:

export DOMAINTOOLS_API_KEY="your-api-key"
claude mcp add --transport http domaintools-mcp \
  https://api.domaintools.com/v1/mcp \
  --header "X-Api-Key: ${DOMAINTOOLS_API_KEY}"

Restart your client and test the connection by asking Claude to investigate a domain:

Use lookup_single to investigate example.com

What you get with the MCP Server

The MCP Server exposes tools from three DomainTools platforms:

Iris Investigate

Iris Investigate is DomainTools' deep analysis platform for mapping adversary infrastructure. It provides domain intelligence from DNS, passive DNS, domain registration data (WHOIS/RDAP), TLS certificates, website content, screenshots, and predictive risk scoring. The MCP Server exposes 7 Iris tools for domain lookups, pivot searches, and infrastructure analysis.

DNSDB

Farsight DNSDB is a passive DNS database containing historical and real-time DNS records observed across global sensor networks. The MCP Server exposes 4 DNSDB tools for forward lookups, inverse lookups, and pattern-based searches across billions of DNS records.

Domain History

Domain History APIs provide timestamped change records for domain registration, infrastructure, and website data. The MCP Server exposes 4 history tools for tracking how domains evolve over time, including deep WHOIS history for records predating 2022.

MCP-optimized responses

MCP tool responses are optimized for LLM consumption. They return a relevant subset of each product's data with empty fields removed and structures flattened to reduce token usage. For the complete dataset, use the REST APIs directly.

Key use cases

Security analysts and threat researchers can use the MCP Server to:

  • Investigate suspicious domains with comprehensive threat intelligence
  • Discover related infrastructure through pivot searches
  • Query historical and real-time passive DNS records
  • Track domain registration, infrastructure, and website changes over time
  • Assess domain risk at scale with bulk lookups