DomainTools Technical Documentation

🔍 Search the docs…

Evaluating DomainTools?

Request a demo or contact your DomainTools representative for a guided walkthrough.

New to DomainTools?

Three steps to your first result:

1. Get your API credentials — API key from your account portal, plus the authentication scheme used by each product
2. Pick your tooling:
   • Python SDK for scripts and batch work
   • MCP Server if you're building with AI agents
   • Call the APIs directly — each product's Getting started section has curl examples
3. Try the task that matches your role — see Find by task below

---

Or browse the docs: Find by task · Find by product · Find by data

Find by task

Investigate a domain or infrastructure

Trace connections across ownership, history, and hosting.

• Iris Investigate: web investigation workspace
• DNSDB Scout: passive DNS web GUI
• DNSDB API: passive DNS queries
• Lookups APIs: WHOIS, reverse WHOIS, hosting history
• IrisQL: query language for complex Iris searches

Detect threats early

Find malicious or lookalike domains as they register or become active.

• Threat Feeds: discovery feeds (NOD, NAD, NOH) and predictive risk feeds (Domain Hotlist, IP Hotlist, and more)
• Iris Detect: lookalike and impersonation detection
• Domain Risk Score: ML-based domain classification
• RPZ feeds: DNS firewalling against malicious domains

Enrich alerts and indicators

Add domain context to alerts in your SIEM, SOAR, or custom tooling.

• Iris Enrich API: domain context for one or many domains
• Python SDK: batch enrichment from scripts
• Domain Risk Score: risk signal for prioritization
• Lookups APIs: WHOIS, RDAP, and hosting enrichment

Connect to your security stack

Push domain intelligence into your SIEM, SOAR, TIP, XDR, or LLM workflows.

• SIEM: Splunk, Elastic, IBM QRadar, Google Chronicle, Microsoft Sentinel
• SOAR: Splunk SOAR, Palo Alto Cortex XSOAR, ServiceNow, Tines
• XDR: Palo Alto Cortex XSIAM
• TIP: Anomali, ThreatQ
• Investigation: Maltego

Monitor brand and lookalike domains

Track lookalikes, impersonation, and registrations over time.

• Iris Detect: lookalike monitoring web app
• Iris Detect API: ingest detections programmatically
• Brand Monitor API: track new domains matching brand terms
• Registrant Monitor API: track registrations by WHOIS field

Automate with APIs and AI agents

Build against DomainTools data programmatically.

• Python SDK: scripts and batch jobs
• MCP Server: data access for AI agents
• Farsight SIE API: real-time DNS event streaming
• OpenAPI specifications: generate clients in any language
• SOAR Playbooks: drop-in workflows for SOAR platforms

Find by product

Iris

Investigation, enrichment, and ML-powered detection across domains and brand lookalikes.

Explore Iris »

Farsight DNSDB

Passive DNS database with 300+ billion records. API access, Scout GUI, and command-line tools for historical and real-time DNS queries.

Use DNSDB »

Threat Feeds

Predictive risk feeds, discovery feeds, and DNS firewall (RPZ) feeds.

Explore threat feeds »

Lookups and Monitors

Lookup APIs for WHOIS, RDAP, reverse IP, hosting history, and other domain attributes, plus Monitor APIs for brand, registrant, IP, and name server tracking.

Use Lookups and Monitors »

Farsight SIE

Real-time DNS streaming from Farsight sensors across the internet.

Explore Farsight SIE »

Domain Risk Score

ML-based risk classification for malware, phishing, spam, and proximity to known threats.

Explore Domain Risk Score »

Integrations

Connectors and workflows for Splunk, Sentinel, Palo Alto Cortex, and other SIEM/SOAR platforms.

View all integrations »

Developer tools

Python SDK, MCP Server for AI agents, OpenAPI specs, LLM resources, and SOAR playbooks.

Browse developer tools »

User Management

Manage users, groups, and single sign-on (SSO) across your DomainTools account.

Manage your account »

Lookups and Monitors web tools

Web-based WHOIS lookup, Hosting History, Domain Search, and related tools at research.domaintools.com.

Browse web tools »

Find by data

Registration data

WHOIS and RDAP records: registrant identity, contacts, registrar, registration and expiry dates, EPP status codes. Current record and full history going back 20+ years.

• Iris Investigate: registration panel, full history view
• Iris Enrich API: registration fields in bulk enrichment
• MCP Server: current and historical registration lookups
• Lookups APIs: current WHOIS, RDAP, and WHOIS history
• Threat Feeds: 5-Minute Domain WHOIS and Parsed Domain RDAP feeds

Passive DNS

Historical DNS resolution records — A, AAAA, NS, MX, CNAME, and more — with first-seen/last-seen timestamps, observation counts, and bailiwick. Forward and inverse lookups; flex and regex search across 300+ billion records.

• Farsight DNSDB: full passive DNS store — API and Scout GUI
• Iris Investigate: curated pDNS panel with recent resolutions
• MCP Server: forward, inverse, and flex passive DNS lookups

Domain Risk Score

ML-based 0–100 risk score with four components: Proximity (closeness to known-malicious domains), Malware Risk, Phishing Risk, and Spam Risk. Includes blocklist and zerolist status.

• Domain Risk Score API: score and component breakdown
• Iris Investigate: risk score with evidence panel
• Iris Enrich API: risk score in bulk enrichment
• MCP Server: risk scores via single, bulk, and IOC import lookups
• Threat Feeds: Domain Hotlist, Domain Risk, IP Hotlist, IP Risk feeds

Infrastructure and hosting

Current DNS records (A, NS, MX, SOA) with ASN, ISP, and country enrichment. SSL/TLS certificate data. Hosting history showing IP, nameserver, MX, and registrar changes over time. Website metadata and web tracking codes.

• Iris Investigate: infrastructure and hosting panels
• Iris Enrich API: infrastructure fields in bulk enrichment
• MCP Server: current and historical infrastructure and website data
• Hosting History API: IP, NS, MX, and registrar change history

IP intelligence

IP address geolocation (ASN, ISP, organization, country, city) and network ownership (CIDR ranges, RIR allocation). IP hosting threat profile showing the percentage of malicious domains resolving to an IP, broken down by phishing, malware, and spam categories.

• Iris Investigate: IP panels on domain results
• Lookups APIs: IP WHOIS and Reverse IP WHOIS for network ownership
• MCP Server: ASN, ISP, and country via infrastructure lookups
• Threat Feeds: IP Risk feed (~15–20M IPs daily) and IP Hotlist feed
• IP Monitor API: activity monitoring for specific IPs

Domain discovery and monitoring

Streams of newly observed and newly active domains and hostnames for early threat detection, plus newly registered domains via Domain Discovery. Monitoring by brand keyword, registrant attribute, nameserver, or IP.

• Threat Feeds: Newly Observed Domains (NOD), Newly Active Domains (NAD), Newly Observed Hostnames (NOH), Domain Discovery feeds
• Iris Detect: lookalike and impersonation monitoring
• Monitor APIs: track new domains by brand, registrant, nameserver, or IP
• RPZ feeds: DNS firewall lists in RPZ format

---

Don't see what you need? Email enterprisesupport@domaintools.com or contact your DomainTools representative. See the changelog for product updates.