DomainTools helps security analysts turn threat data into threat intelligence. It takes indicators from your network, including domains and IP addresses, and connects them with nearly every active domain on the internet. These connections perform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to the attacker’s infrastructure.
The goal is to proactively stop security threats from disrupting your organization using: domain/DNS data, predictive analysis, and monitoring of trends on the internet. DomainTools collects Open Source Intelligence (OSINT) data from many sources, along with historical records, and stores it in a central database. It then indexes and analyzes the OSINT data based on various connection algorithms to deliver actionable intelligence, including domain scoring and forensic mapping.
DomainTools has over 10 billion related DNS data points to build a map of ‘who’s doing what’ on the internet. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in threat investigation and mitigation.
Outbound access required to resolve DomainTools API
| Protocol | Source IP | Source Port | Direction | Destination Domain | Destination Port |
|---|---|---|---|---|---|
| TCP | DS,CR,A10 | Any | Egress | github.com | 443 |
| TCP | DS,CR,A10 | Any | Egress | domaintools.com | 443 |
Details of the functions that can be used with the DomainTools lookup plugin are given in this section.
The $DTResponseCode field contains the response code of a request (function call). This field is common to all the functions. Possible values of this field and their descriptions are as given below
| Response Codes | Description |
|---|---|
| 0 | Domain is invalid |
| 206 | Unable to parse the WHOIS record |
| 400 | Incorrect syntax |
| 404 | WHOIS information not available for this domain/IP address |
| 500 |
|
| 503 | Service level limit exceeded |
In all the functions explained below, the examples use an event store named threatsample.
This event store does not exist in DNIF by default. However, it can be created/imported.
This function returns basic (summarized) data about products like registrant, server, registration etc. for a domain name.
- Domain name
_fetch $Domain from threatsample limit 1
>>_lookup domaintools get_domain_profile $Domain
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data):
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTHistoricIPAddressEvents | Count of events for IP addresses, recorded by DOMAINTOOLS for the queried domain |
| $DTHistoricIPAddressProductURL | Permalink for more information on the events of the IP addresses for the queried domain |
| $DTHistoricIPAddressTimespaninyears | Number of years since DOMAINTOOLS has this information in its database |
| $DTHistoricNameserverEvents | Count of nameserver events recorded by DOMAINTOOLS for the queried domain |
| $DTHistoricNameserverProductURL | Permalink for more information on the events of the nameserver for the queried domain |
| $DTHistoricNameserverTimespaninyears | Number of years since DOMAINTOOLS has this information in its database |
| $DTHistoricRegistrarEvents | Count of events of the registrar recorded by DOMAINTOOLS for the queried domain |
| $DTHistoricRegistrarProductURL | Permalink for more information on the events of the registrar for the queried domain |
| $DTHistoricWhoisEarliestevent | Date of the first WHOIS record for the queried domain |
| $DTHistoricWhoisProductURL | Permalink for more information on the WHOIS history for the queried domain |
| $DTHistoricWhoisRecords | Count of WHOIS records present for the queried domain |
| $DTRegistrantDomains | Count of domains the registrant has |
| $DTRegistrantName | Name of the registrant for the domain |
| $DTRegistrantProductURL | Permalink for more information on the registrant for the queried domain |
| $DTRegistrationCreated | Domain registration date |
| $DTRegistrationExpires | Domain registration expiry date |
| $DTRegistrationUpdated | Domain registration updation date |
| $DTSeoProductURL | Permalink for SEO details of the queried domain |
| $DTSeoScore | SEO score of the website |
| $DTServerIpaddress | IP address of the server on which other domains are hosted |
| $DTServerOtherdomains | Count of other domains hosted on the server |
| $DTServerProductURL | Permalink for more information on the server |
| $DTWebsitedataProductURL | Permalink to the website of the product (DomainTools), which can be accessed for more information. |
| $DTWebsitedataResponsecode | Response code of the website, when accessed |
| $DTWebsitedataServer | Server type |
| $DTWebsitedataTitle | Title of the website |
This function returns the WHOIS record. It includes the most recent details of the ownership record of a domain name or IP address including its basic registration details.
- Domain name or (valid) IP address
_fetch $Domain from threatsample where $Domain=www.malware.com limit 1
>>_lookup domaintools get_whois $Domain
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTNameServers | List of nameservers |
| $DTRegistrant | Registrant details for the domain |
| $DTRegistrationCreated | Domain registration date |
| $DTRegistrationExpires | Domain registration expiry date |
| $DTRegistrationRegistrar | Details of the registrar for the domain |
| $DTRegistrationStatuses | List of registration statuses for the domain |
| $DTRegistrationUpdated | Domain registration updation date |
| $DTWHOISDate | Date when the WHOIS record was last updated |
| $DTWHOISRecord | Raw WHOIS record received from DOMAINTOOLS |
This function returns a list of domain names that share the same internet host (IP address) as the one specified in the query.
- IP address
_fetch $SrcIP from threatsample limit 1
>>_lookup domaintools get_reverse_ip $SrcIP
The output of the query is as shown below
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTDomainCount | Count of domain names that share the same internet host (same IP address) |
| $DTDomainNames | List of domain names that share the same internet host |
| $DTIP | IP address being queried |
This function returns the reverse IP addresses for a specified domain name. When a domain name resolves to multiple IP addresses, the response has multiple nodes. Each node contains an IP address, a domain count and a domain names node.
Domain name
_fetch $Domain from threatsample limit 1
>>_lookup domaintools get_reverse_domain $Domain
The output of the query is as shown below:
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTDomainCount | Count of domain names that share the same internet host |
| $DTDomainNames | List of domain names that share the same internet host |
| $DTIP | IP address that hosts these domains |
This function returns a list of domain names that share the same primary or secondary nameserver. Reverse nameserver (NS) lets you see all the domain names currently pointed to any nameserver.
- Domain name.
_fetch $Domain from threatsample limit 1
>>_lookup domaintools get_reverse_nameserver $Domain
Click here to view the output of the above example.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTNameServerHostname | The nameserver host name |
| $DTNameServerPrimary | Count of domain names pointing to the same nameserver as the primary |
| $DTNameServerSecondary | Count of domain names pointing to the same nameserver as the secondary |
| $DTNameServerTotal | Count of all domain names pointing to the same nameservers as the primary or secondary |
| $DTPrimaryDomains | List of domain names pointing to the same nameservers as the primary |
| $DTSecondaryDomains | List of domain names pointing to the same nameservers as the secondary |
This function returns a list of domain names that have your search terms listed in the WHOIS record.
- Terms that describe a domain owner, like an email address or a company name
_fetch $Email from threatsample limit 1
>>_lookup domaintools get_reverse_whois $Email
Click here to view the output of the above query.
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTDomaincountCurrent | Count of current domains that have your search terms listed in the WHOIS record |
| $DTDomaincountHistoric | Count of historic domains that have your search terms listed in the WHOIS record |
| $DTDomains | List of domain names that have your search terms listed in the WHOIS record |
| $DTReportpriceCurrent | Lists the retail price of the query if you have per-domain pricing access for current domains |
| $DTReportpriceHistoric | Lists the retail price of the query if you have per-domain pricing access for historic domains |
This function returns parsed information extracted from the most recent raw WHOIS record.
- Domain name or IP address
_fetch $Domain from threatsample limit 1
>>_lookup domaintools get_parsed_whois $Domain
Click here to view the output of the above query.
The output of the lookup call has the following structure (for the available data) , which is variable based on the queried domain present in the WHOIS record
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTCreatedDate | Date when the domain was originally registered |
| $DTUpdatedDate | Date when the domain was last updated |
| $DTExpiredDate | Date when the domain has to be renewed or will expire |
| $DTAdminCity | City of the admin contact present in the WHOIS record |
| $DTAdminCountry | Country of the admin contact present in the WHOIS record |
| $DTAdminEmail | Email of the admin contact present in the WHOIS record |
| $DTAdminName | Name of the admin contact present in the WHOIS record |
| $DTAdminOrg | Organization of the admin contact present in the WHOIS record |
| $DTAdminPhone | Phone number of the admin contact present in the WHOIS record |
| $DTAdminPostal | Postal code of the admin contact present in the WHOIS record |
| $DTAdminState | State of the admin contact present in the WHOIS record |
| $DTAdminStreet | Street of the admin contact present in the WHOIS record |
| $DTDomain | Name of the domain present in the WHOIS record |
| $DTNameServers | Nameserver of the domain present in the WHOIS record |
| $DTRegistrantCity | City of the registrant contact present in the WHOIS record |
| $DTRegistrantCountry | Country of the registrant contact present in the WHOIS record |
| $DTRegistrantEmail | Email of the registrant contact present in the WHOIS record |
| $DTRegistrantName | Name of the registrant contact present in the WHOIS record |
| $DTRegistrantOrg | Organization of the registrant contact present in the WHOIS record |
| $DTRegistrantPhone | Phone number of the registrant contact present in the WHOIS record |
| $DTRegistrantPostal | Postal code of the registrant contact present in the WHOIS record |
| $DTRegistrantState | State of the registrant contact present in the WHOIS record |
| $DTRegistrantStreet | Street of the registrant contact present in the WHOIS record |
| $DTRegistrarAbusecontactemail | Email-id of the registrar, to report abuse |
| $DTRegistrarAbusecontactphone | Phone number of the registrar, to report abuse |
| $DTRegistrarIanaid | IANA ID of the registrar |
| $DTRegistrarName | Name of the registrar |
| $DTRegistrarUrl | URL of the registrar |
| $DTRegistrarWhoisserver | Registrar WHOIS server |
| $DTStatuses | List of statuses for the queried domain |
| $DTTechCity | City of the technical contact present in the WHOIS record |
| $DTTechCountry | Country of the technical contact present in the WHOIS record |
| $DTTechEmail | Email of the technical contact present in the WHOIS record |
| $DTTechName | Name of the technical contact present in the WHOIS record |
| $DTTechOrg | Organization of the technical contact present in the WHOIS record |
| $DTTechPhone | Phone number of the technical contact present in the WHOIS record |
| $DTTechPostal | Postal code of the technical contact present in the WHOIS record |
| $DTTechState | State of the technical contact present in the WHOIS record |
| $DTTechStreet | Street address of the technical contact present in the WHOIS record |
| $DTWHOIS-Record | Raw copy of the WHOIS record |
This function returns a list of IP network ranges with WHOIS records that match a queried IP address.
- IP address.
_fetch $SrcIP from threatsample limit 1
>>_lookup domaintools get_reverse_ipwhois $SrcIP
Click here to view the output of the above query
The output of the lookup call has the following structure (for the available data), which is variable based on the queried IP address present in the WHOIS record:
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTCountry | Country of the queried IP address |
| $DTIPFrom | Start of the IP address block |
| $DTIPTo | End of the IP address block |
| $DTIPFromAlloc | Starting allocation of the range of IP addresses |
| $DTIPToAlloc | Ending allocation of the range of IP addresses |
| $DTOrganization | Name of the organization present in the WHOIS record |
| $DTRange | Range of the IP address block |
| $DTRecordDate | Date of the WHOIS record |
| $DTRecordIP | IP address present in the WHOIS record |
| $DTServer | Server returning the WHOIS record |
| $DTWHOISRecord | Raw WHOIS record |
This function returns risk scores and threat predictions based on DomainTools Proximity and Threat Profile algorithms.
- Domain name
_fetch $Domain from threatsample limit 1
>>_lookup domaintools get_domain_riskscore $Domain
The output of the query is as shown below
The output of the lookup call has the following structure (for the available data)
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTDomain | Domain name being queried |
| $DTblacklistRiskScore | Blacklist risk-scoring for the domain |
| $DTRiskScore | Risk-scoring for the queried domain |
This function returns risk scores and threat predictions based on DomainTools’ Proximity and Threat Profile algorithms and evidence for the categorization made by it. It helps in deeper investigation of a domain.
- Domain name.
_fetch $Domain from threatsample limit 1
>>_lookup domaintools get_domain_riskscore_evidence $Domain
The output of the lookup call has the following structure (for available data)
| Fields | Description |
|---|---|
| $DTResponseCode |
|
| $DTMessage | Error message corresponding to the $DTResponseCode |
| $DTDomain | Domain name being queried |
| $DTProximityEvidence | Blacklist risk-scoring for the queried domain |
| $DTProximityRiskScore | Score associated with proximity risk |
| $DTThreatProfileRiskScore | Score associated with threat profile |
| $DTRiskScore | Risk-scoring for queried domain |
The DOMAINTOOLS API is found on github at
https://github.com/dnif/lookup-domaintools
$cd /dnif/CnxxxxxxxxxxxxV8/lookup_plugins/
git clone https://github.com/dnif/lookup-domaintools.git domaintools
-
Move to the
/dnif/<Deployment-key>/lookup_plugins/domaintools/folder path and open dnifconfig.yml configuration fileReplace the <Add_your_username_here> and <Add_you_key_here> tags with your DOMAINTOOLS API username and key.
lookup_plugin:
DOMAINTOOLS_USERNAME: <Add_your_username_here>
DOMAINTOOLS_KEY: <Add_your_key_here>