Skip to main content
Announcement: Introducing Real-Time Threat Feeds
Real-Time IP Risk Feed

Increase Threat Visibility with DomainTools Real-Time IP Risk Feeds

Written by: 
Dan White
Published on: 
May 19, 2026

One domain can tell you a lot about the intent, connections, and context behind a potential threat. But the one domain you are seeing could be connected–through the same IP address–to hundreds or more domains that you’re not seeing, hosted on the same infrastructure. Now, imagine having a data feed of all active, high-risk hosting IP addresses, as well as the enrichment data behind them, updated and delivered in real-time into your security stack.

Introducing the Real-Time IP Risk Feed

The IP Risk feed delivers comprehensive risk intelligence for all IPv4 addresses known to be hosting domains, regardless of risk level. That is, it enumerates all hosting IP addresses, both bad and good, making it the most comprehensive feed for assessing threats related to hosting IPs. 

Now, this feed is updated in real-time, emitting an updated IP address record whenever:

  • the domain risk score changes for any of its hosted domains, or
  • the IP address starts or stops hosting a domain.

If a previously-good IP address is now hosting one or more bad domains, its risk profile changes immediately. If a domain that previously had a good reputation switches hosting IP addresses to one that’s hosting all bad domains, it becomes suspect. 

The IP Risk feed provides both detailed risk assessment and enrichment data for each hosting IP, including:

  • Counts of domains hosted on the IP address
  • % of domains hosted on the IP that have a high risk score for phishing, malware or spam
  • Measures of pDNS activity against the IP address
  • ASN and organization associated with the IP
  • Geographic details like city and country

With the IP Risk feed, you can:

  • Build high-confidence IP block lists, tailored to your risk profile
  • Identify currently active hostile infrastructure for immediate action
  • Identify “super-hoster” or known-good IPs to allowlist
  • Enhance SOC and Threat Intel workflows with IP-based enrichment
  • Create custom network or endpoint block rules
  • Triage IP-based alerts
  • Monitor threat actor hosting infrastructure
  • Detect and respond to active C2 servers

Paired with passive DNS data from our Farsight DNSDB, you can make additional, objective connections between hosting IPs and Fully Qualified Domain Names (FQDNs) or an entire netblock. 

Real-Time IP Hotlist

While the Real-Time IP Risk Feed strives to provide the broadest visibility into all hosting IP addresses, the Real-Time IP Hotlist feed focuses on the highest-risk hosting IP addresses. 

For an IPv4 to appear on the IP Hotlist, it must:

  • Host a high % of malicious domains
  • Have appeared in pDNS activity in the previous 24 hours

This criteria focuses the feed on the worst-of-the-worst hosting IP addresses, and also has the effect of reducing the size of the feed to make it easier to ingest into your security stack.

The fields available in the IP Hotlist feed are the same as for the IP Risk feed.

IP Hotlist Example 

Picking a recent IP Hotlist entry at random, the entry below shows an IP address (23[.]235[.]130[.]195) that is hosting 8 domains, 7 of which have been observed on typical industry blocklists: 6 (75%) have appeared on known spam lists, and 1 (~12%) on known malware lists.

{
  "timestamp": "2026-05-18T22:03:43Z",
  "ip": "23.235.130.195",
  "pdns_resolutions": 7,
  "bad_pdns_resolutions": 6,
  "total_domains": 8,
  "third_party_threats": 7,
  "all_threats_combined_percent": 87,
  "combined_phishing_percent": 0,
  "combined_malware_percent": 12,
  "combined_spam_percent": 75,
  "asn": 132839,
  "organization": "XeVPS L.L.C",
  "city": "Los Angeles",
  "country": "US",
  "latitude": 34.0476,
  "longitude": -118.29227,
  "all_threats_combined_count": 7,
  "malicious_phishing": 0,
  "malicious_malware": 1,
  "malicious_spam": 6,
  "compromised_phishing": 0,
  "compromised_malware": 0,
  "compromised_spam": 0,
  "predicted_phishing": 0,
  "predicted_malware": 0,
  "predicted_spam": 0,
  "all_threats_percent": 87,
  "percent_phishing": 0,
  "percent_malware": 12,
  "percent_spam": 75,
  "zerolist_domains": 0,
  "zerolist_ip": false
}

To understand what this IP Hotlist entry means, we can quickly search the IP address in Iris Investigate. 9 domains were found historically on this IP address, but 1 is inactive. The 8 active domains share the same creation patterns: they were created within a 5-minute window, they have similar registrant email address construction, have the same Cloudflare nameserver pairs, and share some website titles. With this, we can attribute these shared-hosting domains to one or more threat actors, likely the same actor or group.

Even though the remaining 1 domain has not yet appeared on a traditional blocklist, there is a high likelihood that this site is or will be used for malicious purposes, and therefore, it’s safe to block traffic to the entire IP address. We can see in Iris Investigate that the Proximity Risk score (97) for the remaining domain reflects this domain’s connectedness to known bad domains, strengthening our conclusion to block the whole IP address.

We can additionally see the volume of pDNS activity involving this IP address in the last 24 hours by searching for it in DNSDB Scout (Standard / RData search):


This is one entry among many in the IP Hotlist, showing the breadth of threat intelligence rolled up into a neat, single-record JSON package.

Usage Scenarios for Real-Time IP Risk and Hotlist Feeds

Integrate into TIP/SIEM (Feed API)

Using the real-time Feed API, you can integrate real-time threat intelligence related to active, suspicious IP addresses into a Threat Intelligence Platform (TIP) or Security Information and Event Management (SIEM) tool, improving your security posture by blocking suspicious IPs and/or by automating threat detection. With the Feed API, you can also filter the IP feeds based on the ratio of bad-to-total domains, optimally balancing your organization’s risk reduction needs, tolerance for false positives, and ability to handle the data volume. 

Download Hourly Archive Files (Download API)

Practitioners who need to backfill historical IP risk data can download hourly snapshot files of the IP Risk and Hotlist feeds using the Download API. This can be useful for:

  • Outage Recovery: ensure you’re not missing data in the event that failure lasts for longer than the Feed API’s retention period (5 days).
  • Feed Evaluation / Proof of Value: retroactively evaluate what issues your system would have caught if you had access to the feed for a historical eval period (e.g., previous 90 days).

Block Malicious IPs via DNS (RPZ)

An industry-first, we are offering the IP Hotlist in Response Policy Zone (RPZ) format, enabling your DNS firewall to prevent traffic to high-risk IP addresses. You can configure DNS servers like bind to block or sinkhole DNS responses based on the IP response for a domain lookup using an .rpz-ip response policy trigger.

Conclusion

We at DomainTools are thrilled about the latest addition to our Real-Time Feeds and look forward to helping you take the next step in enhancing your DNS intelligence. Learn about all of our Real-Time Feeds here and book a conversation with our team to see how Real-Time Feeds can seamlessly integrate with your security stack for immediate value.

Real-Time IP Risk Feed
Real-Time IP Risk Feed
Dan White