Overview
The DomainTools API is organized into distinct products with queries that follow a
RESTful URL structure wherever possible. Each product offers free, un-authenticated
access for the sample URLs listed with each product. If you haven’t already, you may
want to review the getting started document to learn
about authentication and response formats.
The Domain Risk Score API is only available via our Enterprise Solutions team, and is not included in a membership.
Contact [email protected] for more details.
https://api.domaintools.com/v1/risk/?domain=example-bad-domain.xyz
https://api.domaintools.com/v1/risk/evidence/?domain=example-bad-domain.xyz
The /risk endpoint is designed for large-scale enrichment and triage of domain names within custom tools or one of the DomainTools SIEM/TIP integrations and supports a higher query rate than the /risk/evidence endpoint, which is designed for deeper investigation of individual domains.
Domain Risk Score Parameters
| Parameters | Description |
|---|---|
| domain | Required. Input domain for which the risk score is desired. Note that if you provide a hostname (e.g. www.domaintools.com) rather than a domain (e.g. domaintools.com) we will attempt to return the risk score for the domain, and the domain we used to lookup the risk score will always be returned in the response. |
Sample Response – Domain Risk Score:
{
"response": {
"domain": "wstwc.cn",
"risk_score": 99,
"components": [
{
"name": "proximity",
"risk_score": 70
},
{
"name": "threat_profile",
"risk_score": 99
},
{
"name": "threat_profile_phishing",
"risk_score": 99
},
{
"name": "threat_profile_malware",
"risk_score": 95
},
{
"name": "threat_profile_spam",
"risk_score": 0
}
]
}
}
Sample Response – Domain Risk Score Evidence:
{
"response": {
"domain": "wstwc.cn",
"risk_score": 99,
"components": [
{
"name": "proximity",
"risk_score": 70,
"evidence": [
"registrant"
]
},
{
"name": "threat_profile",
"risk_score": 99,
"threats": [
"phishing",
"malware"
],
"evidence": [
"infrastructure",
"domain name",
"age",
"registration"
]
},
{
"name": "threat_profile_phishing",
"risk_score": 99,
"threats": [
"phishing"
]
},
{
"name": "threat_profile_malware",
"risk_score": 95,
"threats": [
"malware"
]
},
{
"name": "threat_profile_spam",
"risk_score": 0
}
]
}
}
The risk_score returned ranges from 0 (least risk) to 100 (known risk). The reasons array can contain the responses ‘blocklist’, ‘dns’, ‘realtime’, ‘registrant’, or ‘zerolist’.
Zero-listing excludes a domain from risk scoring and sets its risk score to 0. All zero-listed domains receive a 0 risk score, and 0 risk scores are exclusive to zero-listed domains (all other risk scores range from 1-99, inclusive). DomainTools zero-lists a domain when we determine it was not registered with malicious intent. Zero-listing guards legitimate domains against accidental blocking, and includes domains which are vital to the expected operation of the Internet. DomainTools does not assess or condone the quality of the content hosted on zerolisted domains.
General Information
Products
- Account Information
- Brand Monitor
- Domain Profile
- Domain Reputation
- Domain Risk Score
- Domain Search
- Hosting History
- IP Monitor
- IP Registrant Monitor
- Iris Detect
- Iris Enrich
- Iris Investigate
- Iris Pivot
- Name Server Monitor
- Parsed Whois
- PhishEye
- Registrant Monitor
- Reverse IP
- Reverse IP Whois
- Reverse Name Server
- Reverse Whois
- Whois History
- Whois Lookup
