Specifications | Threat Intelligence Data Feeds | WhoisXML API
Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Multi-Level API User Administration Now Available - Manage individual API keys for team members in your organization.

Learn More
×
Contact Us
Specifications Pricing

Specifications

This data feed subscription is licensed to you or your organization only, you may not resell or relicense the data without explicit written permission from Whois API, Inc. Any violation will be prosecuted to the fullest extent of the law.

There are 10 different types of data in the daily export. Each data feed is published daily at 3 AM UTC.

1. Malicious IPv4/IPv6 address data feeds

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-ips.v4.csv.gz 5.5MB 32MB 1,004,672
malicious-ips.v4.jsonl.gz 6.2MB 67MB 1,004,672
malicious-ips.v6.csv.gz 5.6MB 39MB 1,009,224
malicious-ips.v6.jsonl.gz 6.3MB 74MB 1,009,224

Output format

ip,threatType,firstSeen,lastSeen
203.0.113.1,malware,1678372385
2001:0db8:85a3::8a2e:0370:7334,spam,1678372385
...

Output parameters

ip
IoC: IPv4 and IPv6 addresses. IPv6 feed also contains IPv4 addresses represented in the IPv6 notation.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen
UNIX timestamp when the activity was detected first time.
lastSeen
UNIX timestamp when the activity was detected last time.

2. Malicious domain name data feed

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-domains.csv.gz 39MB 286MB 6,957,036
malicious-domains.jsonl.gz 42MB 558MB 6,957,036

Output format

domainName,threatType,firstSeen,lastSeen
example.com,malware,1678372385
example.org,spam,1678372385
...

Output parameters

domainName
IoC: domain name.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen
UNIX timestamp when the activity was detected first time.
lastSeen
UNIX timestamp when the activity was detected last time.

3. Malicious URL data feed

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-urls.csv.gz 42MB 116MB 1,073,285
malicious-urls.jsonl.gz 44MB 165MB 1,073,285

Output format

url,host,threatType,firstSeen,lastSeen
"example.com/wp-admin.php?hack_me=1","example.com",malware,1678372385
"/bad_path/bad_file.php","",malware,1678372385
...

Output parameters

url
IoC: URL. It might be absolute (https://example.com/files/badfile.php) or relative (/files/badfile.php). Relative URLs do not have a corresponding domainName field.
host
Domain name or IP for absolute URLs.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen
UNIX timestamp when the activity was detected first time.
lastSeen
UNIX timestamp when the activity was detected last time.

4. Malicious file hash data feed

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-file-hashes.csv.gz 13MB 35MB 639,141
malicious-file-hashes.jsonl.gz 13MB 64MB 639,141

Output format

hash,algo,threatType,firstSeen,lastSeen
1118d9c97f4ababe8ffcecef0946bcc8,md5,malware,1678372385
930619bc49c9836d26a3a2b75a3db93934d26fcb,sha1,malware,1678372385
...

Output parameters

hash
IoC: file's checksum. The hashing algorithm is determined by the algorithm field.
algo
The algorithm used to generate the value in the hash field: md5 or sha1.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen
UNIX timestamp when the activity was detected first time.
lastSeen
UNIX timestamp when the activity was detected last time.

5. Hosts files

A denylist in the hosts file format containing malicious domain names mapped to 0.0.0.0, to block access to them. Compatible with most operating systems. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
hosts.gz 34MB 211MB 6,813,347

Output format

...
0.0.0.0 example.com
0.0.0.0 example.org
...

6. Nginx ngx_http_access_module compatible IPv4/IPv6 denylists in CIDR notation

A list containing IPv4 and IPv6 ranges in CIDR notation formatted for the ngx_http_access_module. The file can be used in Nginx configuration to block malicious IP addresses. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
nginx-access.v4.gz 5.1MB 30MB 1,352,895
nginx-access.v6.gz 5.6MB 44MB 1,499,909

Output format

...
deny 203.0.113.1;
deny 2001:0db8:85a3::8a2e:0370:7334;
...

7. Raw IPv4/IPv6 denylists

A plain text denylist containing IPv4/IPv6 addresses to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
deny-ips.v4.gz 3.1MB 13MB 929,017
deny-ips.v6.gz 3.4MB 19MB 933,565

Output format

...
203.0.113.1
2001:0db8:85a3::8a2e:0370:7334
...

8. Raw domain denylist

A plain text file containing domains to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
deny-domains.gz 32MB 159MB 6,813,347

Output format

...
example.com
example.org
...

9. Raw CIDR denylist

A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration. The denylist contains all the active IoCs for the last 24 hours.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
deny-cidrs.v4.gz 4.6MB 23MB 1,352,895
deny-cidrs.v6.gz 5.5MB 36MB 1,499,909

Output format

...
deny 1.0.0.0/32;
deny 1.0.1.21/32;
...

10. Malicious IPv4/IPv6 ranges in CIDR notation data feeds

A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-cidrs.v4.csv.gz 9.5MB 64MB 1,853,752
malicious-cidrs.v4.jsonl.gz 11MB 133MB 1,853,752
malicious-cidrs.v6.csv.gz 11MB 83MB 2,000,874
malicious-cidrs.v6.jsonl.gz 12MB 158MB 2,000,874

Output format

cidr,threatType,firstSeen,lastSeen
1.0.0.0/32,attack,1678412656
1.0.1.21/32,attack,1678360646
...

Output parameters

cidr
IoC: IPv4 and IPv6 ranges in CIDR notation. IPv6 feed also contains IPv4 ranges represented in the IPv6 notation.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
firstSeen
UNIX timestamp when the activity was detected first time.
lastSeen
UNIX timestamp when the activity was detected last time.

Downloading via HTTPS

Downloading via FTP

Downloading via FTPS

Read more about the FTPS connection: https://en.wikipedia.org/wiki/FTPS.

Our FTP server supports explicit FTP over TLS encryption. You may configure your FTP client to use explicit FTP over TLS encryption for secure communications.

Our FTPS server is accessed using the same paths and API keys as a regular FTP server, the instructions for which are described above. To connect via FTPS, select the "Require explicit FTP over TLS" encryption option in your FTP client, if it supports it. FileZilla configuration example:

explicit FTP over TLS encryption