.svg){kind=icon}
What is Domain Intelligence?
Domain Intelligence provides a complete profile of any domain name, including:
- WHOIS registration data (registrar, dates, contacts, name servers, domain status)
- DNS records (A, AAAA, MX, NS, TXT, etc.)
- SSL/TLS certificates
- Infrastructure (IP addresses, hosting providers)
- Historical changes and ownership
- Risk assessment and reputation
- Related domains and infrastructure
Basic Domain Lookup
Endpoint: GET /v1/indicators/domain/{domain}
Example:
curl "https://api.whisper.security/v1/indicators/domain/example.com" \
-H "Authorization: Bearer YOUR_API_KEY"
Response structure:
{
"query": { /* request metadata */ },
"summary": { /* executive overview */ },
"registration": { /* WHOIS data */ },
"dns": { /* DNS records */ },
"reputation": { /* risk assessment */ },
"relationships": { /* related domains */ },
"metadata": { /* data sources */ }
}
WHOIS Registration Data
- num: A unique registration number (7739513)
- domainName: The complete domain name (google.com)
- domainKeyword: The main part of the domain name, excluding the TLD (google)
- domainTld: The top-level domain (e.g., .com, .org, .net) (com)
- queryTime: The timestamp when this domain information was looked up (2024-11-05 21:15:21)
- createDate: The date the domain was originally registered (1997-09-05)
- updateDate: The date the domain's registration information was last modified (2024-08-02)
- expiryDate: The date the domain registration is set to expire (2028-09-13)
- registrarIana: The unique ID number assigned by IANA to the registrar (292)
- registrarName: The name of the organization that managed the domain registration (MarkMonitor, Inc.)
- registrarWebsite: The web address of the registrar (http://www.markmonitor.com)
- registrantName: The name of the individual who registered the domain (e.g., John Doe)
- registrantCompany: The name of the organization that owns the domain (Google LLC)
- registrantAddress: The street address of the registrant (e.g., 123 Example St)
- registrantCity: The city of the registrant (e.g., Anytown)
- registrantState: The state or province of the registrant (CA)
- registrantZip: The postal code of the registrant (e.g., 98765)
- registrantCountry: The country of the registrant (US)
- registrantEmail: The contact email for the registrant (select request email form at https://domains.markmonitor.com/whois/google.com)
- registrantPhone: The contact phone number for the registrant (e.g., +1.5551234567)
- registrantFax: The contact fax number for the registrant (e.g., +1.5551234568)
- nameServers: A list of the name servers responsible for resolving the domain (["ns1.google.com", "ns2.google.com", "ns3.google.com", "ns4.google.com"])
- domainStatus: A list of codes indicating the status of the domain (e.g., if it's locked from transfer or deletion) (["clientDeleteProhibited", "clientTransferProhibited", ...])
- dnsSec: Indicates whether DNS Security Extensions are enabled for the domain (unsigned)
DNS Records
- arecords: A list of 'A' records, which map the domain name to IPv4 addresses. (["142.250.179.142", "142.250.185.78", ...])
- aaaa_records: A list of 'AAAA' records, which map the domain name to IPv6 addresses. (["2a00:1450:4001:82f:0:0:0:200e", ...])
- mx_records: A list of 'MX' (Mail Exchange) records, which specify the mail servers responsible for handling email for the domain. (e.g., ["10 https://www.google.com/search?q=alt1.aspmx.l.google.com", "20 https://www.google.com/search?q=alt2.aspmx.l.google.com"])
- ns_records: A list of 'NS' (Name Server) records, which delegate a domain or subdomain to a set of authoritative name servers. (e.g., ["ns1.google.com", "ns2.google.com"])
- txt_records: A list of 'TXT' records, which hold arbitrary text. Often used for domain verification (like SPF, DKIM, or Google Search Console). (e.g., ["v=spf1 include:_https://www.google.com/search?q=spf.google.com ~all"])
- cname_records: A list of 'CNAME' (Canonical Name) records, which alias one domain name to another. (e.g., ["www.example.com" points to "example.com"])
Domain Reputation
- risk_score: A simplified numerical score indicating the domain's potential risk (1.483115318416523)
- blacklists: A list of security blacklists where the domain is listed for issues like spam or malware (e.g., ["spamhaus_sbl", "surbl_ph"])
- domain_reputation: A parent object containing a detailed breakdown of the reputation analysis.
- overall_score: A comprehensive numerical reputation score, often on a scale (e.g., 1-100) (14.831153184165231)
- risk_level: A human-readable classification of the score (clean)
- domain_ip_score: A score based only on the reputation of the domain's own IP addresses ('A' and 'AAAA' records) (24.718588640275385)
- nameserver_ip_score: A score based on the reputation of the IP addresses belonging to the domain's name servers (0)
- mailserver_ip_score: A score based on the reputation of the IP addresses belonging to the domain's mail servers ('MX' records) (0)
- details: An object providing the raw data used for the analysis.
- domain_ips: A list of all IPv4 and IPv6 addresses found for the domain (["142.250.185.78", "2a00:1450:4001:80b:0:0:0:200e", ...])
- domain_ip_scores: A mapping of each domain IP to its individual reputation score ({"142.250.185.78": 85.5, ...})
- nameserver_domains: A list of the domain's name servers (["ns1.google.com", "ns2.google.com", ...])
- nameserver_ips: A list of all IP addresses resolved from the name server domains (["2001:4860:4802:32:0:0:0:a", "216.239.32.10", ...])
- nameserver_ip_scores: A mapping of each name server IP to its individual reputation score ({"216.239.32.10": 0, ...})
- mailserver_domains: A list of the domain's mail servers (e.g., ["https://www.google.com/search?q=aspmx.l.google.com"])
- mailserver_ips: A list of all IP addresses resolved from the mail server domains (e.g., ["142.250.150.27"])
- mailserver_ip_scores: A mapping of each mail server IP to its individual reputation score (e.g., {"142.250.150.27": 0})
- scoring_method: The name of the algorithm or method used to calculate the score (composite_infrastructure)
- weights: An object showing how each component contributed to the
overall_score.- mailservers: The weighting factor for the mail server score (0.2)
- nameservers: The weighting factor for the name server score (0.2)
- domain: The weighting factor for the domain's own IP score (0.6)
Relationships
- incoming_links: An object describing backlinks (other websites linking to this domain).
- total: The total number of incoming links found (13539569)
- top_sources: A list of the most prominent domains linking to this one (e.g., ["wikipedia.org", "nytimes.com", "bbc.com", ...])
- total: The total number of unique external domains this site links to (8)
- top_sources: A list of the external domains this site links to (e.g., ["youtube.com", "facebook.com", "twitter.com", ...])
- shared_infrastructure: A list of IP addresses (both IPv4 and IPv6) that host the domain. This is the same list as the 'A' and 'AAAA' records. (["142.250.185.78", "2a00:1450:4001:80b:0:0:0:200e", ...])
Subdomain Discovery
Endpoint: GET /v1/indicators/domain/{domain}/subdomains
Get subdomains:
curl "https://api.whisper.security/v1/indicators/domain/example.com/subdomains?limit=100" \
-H "Authorization: Bearer YOUR_API_KEY"
Response:
{
"domain": /* domain name */,
"subdomains": [ /* list of subdomains */],
"totalCount": /* subdomains count */,
}
Similar Domains (Typosquatting Detection)
Endpoint: POST /v1/indicators/domain/{domain}/similar
Generate similar domains:
# Step 1: Initiate async job
curl -X POST 'https://api.whisper.security/v1/indicators/domain/example.com/similar' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-H 'Content-Type: application/json'
# Response: {"jobId": "job_abc123", "status": "pending"}
# Step 2: Check job status
curl -X GET 'https://api.whisper.security/v1/ops/jobs/job_abc123' \
-H 'Authorization: Bearer YOUR_API_KEY'
# When status is "completed", result field contains the data
Results when complete:
{
"similarDomains": [
{
/* similar generated domain names
}
],
"totalCount": /* total generated domain names,
"analysis": { /* similarity algorithms used */}
}
Historical Data
Endpoint: GET /v1/indicators/domain/{domain}/history
Get domain history:
curl -X GET 'https://api.whisper.security/v1/indicators/domain/example.com/history?historyType=whois' \
-H 'Authorization: Bearer Your API Key' \
-H 'Content-Type: application/json'
Available include options:
whois- Complete WHOIS recorddns_details- All DNS record typesssl_details- Full certificate chainrouting- All related infrastructurehistory- Historical changes
Response (truncated):
{
"query": {
"indicator": "example.com",
"indicator_type": "domain",
"history_type": "whois",
"timestamp": "2025-10-30T20:33:13.774773095Z",
"response_time_ms": 157
},
"history": {
"records": [
{
"num": "310488",
"domainName": "example.com",
"domainKeyword": "example",
"domainTld": "com",
"queryTime": "2022-08-15 09:22:14",
"createDate": "1995-08-14",
"updateDate": "2022-08-14",
"expiryDate": "2023-08-13",
"registrarIana": "376",
"registrarName": "RESERVED-Internet Assigned Numbers Authority",
"registrarWebsite": "http://res-dom.iana.org",
"nameServers": [
"a.iana-servers.net",
"b.iana-servers.net"
],
"domainStatus": [
"clientDeleteProhibited",
"clientTransferProhibited",
"clientUpdateProhibited"
],
"dnsSec": null
},
{
"num": "2138",
"domainName": "example.com",
"domainKeyword": "example",
"domainTld": "com",
"queryTime": "2022-07-22 16:43:32",
"createDate": "1995-08-14",
"updateDate": "2021-08-14",
"expiryDate": "2022-08-13",
"registrarIana": "376",
"registrarName": "RESERVED-Internet Assigned Numbers Authority",
"registrarWebsite": "http://res-dom.iana.org",
"nameServers": [
"a.iana-servers.net",
"b.iana-servers.net"
],
"domainStatus": [
"clientDeleteProhibited",
"clientTransferProhibited",
"clientUpdateProhibited"
],
"dnsSec": null
},
{
"num": "626629",
"domainName": "example.com",
"domainKeyword": "example",
"domainTld": "com",
"queryTime": "2023-05-12 16:40:59",
"createDate": "1995-08-14",
"updateDate": "2023-05-12",
"expiryDate": "2023-08-13",
"registrarIana": "376",
"registrarName": "RESERVED-Internet Assigned Numbers Authority",
"registrarWebsite": "http://res-dom.iana.org",
"nameServers": [
"a.iana-servers.net",
"b.iana-servers.net"
],
"domainStatus": [
"clientDeleteProhibited",
"clientTransferProhibited",
"clientUpdateProhibited"
],
"dnsSec": "signedDelegation"
}
],
"total_records": 3,
"oldest_date": "1995-08-14",
"newest_date": "2025-08-14"
}
}