In an age where threats evolve in minutes – not months – your ability to stop attacks before they start depends on one thing: speed. That’s why DomainTools’ upcoming real-time feeds API release is a game-changer, especially for anyone relying on Protective DNS (PDNS). If you’re using DNS as a first line of defense (and you should be), here’s why this new capability matters – and how it can dramatically tighten your security posture with the help of DomainTools’ Newly Observed Domain (NOD) and Domain Hotlist feeds.
Most PDNS and other modern security solutions rely on periodic updates of domain blocklists or threat intelligence feeds. While that’s effective against known threats, it creates a critical gap – the window of exposure between when a domain is first registered, weaponized, and finally flagged as malicious.
A real-time API eliminates this lag by delivering fresh data the moment it’s available. This means:
- Immediate awareness of never before observed domains – no need to wait for batch updates.
- Instant ability to block any high-risk activity that has been identified by DomainTools’ risk scoring models.
- Rapid blocking at the DNS layer, before a connection is ever attempted.
Newly Observed Domain Feed (NOD)
This feed captures domains that have never been previously observed by the DomainTools passive DNS sensor network. These observations trigger based on queries that happen “in the wild” – often hours or days before traditional blocklists can catch up. As these new domains appear on the Internet the goal would be to block them for a defined amount of time (e.g. the first 24 hours) before allowing traffic to the domains. This time gap gives security companies the ability to decide on whether the domain has been registered with malicious intent before allowing any users to interact with the domains. With the real-time API integrations your SIEMs, SOARs, and PDNS engines can react instantly to these new domains and start logging any activity. This could reduce your dwell time from days or hours down to minutes or seconds.
Real-Time Domain Hotlist
This curated feed pinpoints domains with the highest likelihood of malicious intent based on infrastructure patterns, threat actor behavior, and machine learning analysis. The Domain Hotlist feed is powered by both the DomainTools machine learning algorithms to assign a risk score of malicious intent, and very recent observations from our passive DNS sensor network. The risk scoring process assigns 4 different scores onto all newly discovered domains: proximity, phishing, malware, and spam. In order for a domain to be placed onto the Domain Hotlist, it needs to satisfy multiple criteria:
- Proximity score of 70+
- OR a Threat profile score (which is a combination of the phishing, malware, and spam scores) of 90+
- AND it must have a Passive DNS observation within the last 24 hours
These criteria mean that you are no longer bombarding your security processes with extra indicators that may not be active and could even be outdated. The domains added are both risky AND active. This allows you to “level up” your stance on blocking risky domains. Don’t wait for a right of boom blocklist, don’t wait 24 hours for a daily file, just get the data as soon as it is available.
DomainTools Real-Time Feed API
The introduction of the real-time Feed API provides many benefits and a common set of core features that can make this approach more attractive than previous alternatives.
- Stable, static URL endpoint. This allows you to fetch the latest feed data with the same query parameters.
- Configurable polling frequency. You can fetch the data as often as you want, whether you decide to pull hourly or even every 60 seconds.
- 5-day data retention. We provide a 5-day retention time for Feed APIs – meaning that if your API polling infrastructure runs into an issue, we still maintain a copy of the data on our side which can be pulled when you are back in action.
- Session management. The API system provides session management – no need to account for time frames or trying to figure out if you duplicated or lost a domain along the way. Create a session ID and let us handle that aspect for you!
- Server side pattern filtering. When you utilize the “domain” query parameter, the feed data will be filtered on the server side. So you only download the domain name patterns that are important to you, and save on transfer time and processing power.
Using the Real-Time Feed API
Here are a couple of examples pulling data from the real-time risk feeds.
This first example shows data being pulled from the NOD feed using a parameter that specifies to only pull that most recent 10 seconds worth of data.
# curl -X ‘GET’ ‘https://api.domaintools.com/v1/feed/nod/?after=-10’ \ -H “X-API-Key: $DTKEY”
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”brandonkimeshome.com”}
{“timestamp”:”2025-06-21T19:04:14Z”,”domain”:”hrupanica.store”}
{“timestamp”:”2025-06-21T19:04:15Z”,”domain”:”milazzoservizi.it”}
{“timestamp”:”2025-06-21T19:04:17Z”,”domain”:”gov-ig.cc”}
{“timestamp”:”2025-06-21T19:04:18Z”,”domain”:”idee-fixe.pagefrontapp.com”}
{“timestamp”:”2025-06-21T19:04:19Z”,”domain”:”desertlariatjewelry.com”}
{“timestamp”:”2025-06-21T19:04:19Z”,”domain”:”barbond.store”}
{“timestamp”:”2025-06-21T19:04:19Z”,”domain”:”bfqgfyi.ltd”}
{“timestamp”:”2025-06-21T19:04:19Z”,”domain”:”bom777.ink”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”blendagin.com”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”build-a-platform.com”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”cassinews.net”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”canada-curriculum-institute.com”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”choicecabstaxiservice.com”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”companydhp.com”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”clip.site”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”proyectostecto.com”}
{“timestamp”:”2025-06-21T19:04:21Z”,”domain”:”crownluxeco.com”}
{“timestamp”:”2025-06-21T19:04:22Z”,”domain”:”cucciya2.com.tr”}
{“timestamp”:”2025-06-21T19:04:20Z”,”domain”:”cleverreachers.co”}
#
The second example shows data being pulled from the Real-Time Domain Hotlist feed. In this example we are using both a session ID to only pull data since the last time this session ID has been utilized, and we are also using server side filtering to search for domains that contain the term cleaning within them.
# curl -X ‘GET’ ‘https://api.domaintools.com/v1/feed/domainhotlist/?sessionID=hotlistSession&domain=cleaning‘ \ -H “X-API-Key: $DTKEY”
{“timestamp”:”2025-06-21T18:24:23Z”,”domain”:”cleaning-services-57474.bond”,”phishing_risk”:99,”malware_risk”:99,”spam_risk”:99,”proximity_risk”:79,”overall_risk”:99,”expires”:”2025-06-22T16:56:09Z”}
{“timestamp”:”2025-06-21T18:27:49Z”,”domain”:”cleaning-services-7435.bond”,”phishing_risk”:99,”malware_risk”:99,”spam_risk”:97,”proximity_risk”:80,”overall_risk”:99,”expires”:”2025-06-22T12:04:18Z”}
{“timestamp”:”2025-06-21T18:46:05Z”,”domain”:”cleaning-jobs-63891.bond”,”phishing_risk”:99,”malware_risk”:99,”spam_risk”:96,”proximity_risk”:79,”overall_risk”:99,”expires”:”2025-06-22T18:46:04Z”}
{“timestamp”:”2025-06-21T19:02:04Z”,”domain”:”guttercleaning-14.sbs”,”phishing_risk”:10,”malware_risk”:99,”spam_risk”:1,”proximity_risk”:99,”overall_risk”:99,”expires”:”2025-06-22T19:02:03Z”}
{“timestamp”:”2025-06-21T19:11:09Z”,”domain”:”cleaningmaturegallop.com”,”phishing_risk”:93,”malware_risk”:95,”spam_risk”:96,”proximity_risk”:99,”overall_risk”:99,”expires”:”2025-06-22T19:11:08Z”}
#
Stay tuned for more posts about the DomainTools real-time feed API to learn about other feeds available in this manner. Plus, we are looking forward to a future post that will answer the question, “I have all this great data…. now what?”
Request a demo today if you’d like to learn more about DomainTools solutions!
