User Guide
Synapse-DomainTools User Guide
Synapse-DomainTools adds new Storm commands to allow you to query the DomainTools API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API credentials
To set-up personal use API credentials:
> domaintools.setup.apikey --self myapiuser myapikey
Setting DomainTools API credentials for the current user.
Setting your personal Farsight API key
To set-up a personal use API key for the Farsight DNSDB API:
> domaintools.farsight.setup.apikey --self myapikey
Setting DomainTools Farsight API key for the current user.
Enrich nodes with Iris data
Enrich an inet:fqdn node with domaintools.iris.enrich:
> inet:fqdn=vertex.link | domaintools.iris.enrich
inet:fqdn=vertex.link
.created = 2024/04/25 15:15:01.268
:_domaintools:risk:score = 23
:_domaintools:risk:score:proximity = 23
:domain = link
:host = vertex
:issuffix = false
:iszone = true
:zone = vertex.link
Enrich an IPv4 with domaintools.iris.investigate and yield the results:
> inet:ipv4=199.30.228.112 | domaintools.iris.investigate --ip $node --yield
inet:whois:rec=('usb.vn', '2023/03/07 16:11:48.048')
.created = 2024/04/25 15:15:02.745
:asof = 2023/03/07 16:11:48.048
:fqdn = usb.vn
inet:whois:rec=('whoisapi.com', '2023/03/07 16:04:45.551')
.created = 2024/04/25 15:15:03.270
:asof = 2023/03/07 16:04:45.551
:created = 2002/07/10 00:00:00.000
:expires = 2023/07/10 00:00:00.000
:fqdn = whoisapi.com
:registrant = redacted for privacy
:registrar = enom, inc.
Get hosting history for a domain
Enrich an inet:fqdn node with domaintools.hosting.history and yield the results:
> inet:fqdn=domaintools.com | domaintools.hosting.history --size 3 --yield
inet:dns:a=('domaintools.com', '63.247.77.156')
.created = 2024/04/25 15:15:04.149
.seen = ('2004/05/03 00:00:00.000', '2004/05/03 00:00:00.001')
:fqdn = domaintools.com
:ipv4 = 63.247.77.156
inet:dns:a=('domaintools.com', '63.247.77.156')
.created = 2024/04/25 15:15:04.149
.seen = ('2004/05/03 00:00:00.000', '2005/10/02 00:00:00.001')
:fqdn = domaintools.com
:ipv4 = 63.247.77.156
inet:dns:a=('domaintools.com', '66.249.4.251')
.created = 2024/04/25 15:15:04.203
.seen = ('2006/01/07 00:00:00.000', '2006/01/07 00:00:00.001')
:fqdn = domaintools.com
:ipv4 = 66.249.4.251
Get Whois history for a domain
Enrich an inet:fqdn node with domaintools.whois.history and yield the results:
> inet:fqdn=vertex.link | domaintools.whois.history --size 1 --yield
inet:whois:rec=('vertex.link', '2023/03/01 00:00:00.000')
.created = 2024/04/25 15:15:04.421
:asof = 2023/03/01 00:00:00.000
:fqdn = vertex.link
:registrant = privacy service provided by withheld for privacy ehf
:text = domain name: vertex.link
registry domain id: do_04a969917b3f7361097e306b8ff46eed-ur
registrar whois server: whois.namecheap.com
registrar url: https://www.namecheap.com
updated date: 2022-07-18t00:41:25.236z
creation date: 2014-08-15t23:07:48.961z
registry expiry date: 2023-08-15t23:07:48.961z
registrar: namecheap
registrar iana id: 1068
registrar abuse contact email: [email protected]
registrar abuse contact phone: +1.6613102107
domain status: clienttransferprohibited https://icann.org/epp#clienttransferprohibited
registry registrant id: redacted for privacy
registrant name: redacted for privacy
registrant organization: privacy service provided by withheld for privacy ehf
registrant street: redacted for privacy
registrant city: redacted for privacy
registrant state/province: capital region
registrant postal code: redacted for privacy
registrant country: is
registrant phone: redacted for privacy
registrant fax: redacted for privacy
registrant email: please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name.
registry admin id: redacted for privacy
admin name: redacted for privacy
admin organization: redacted for privacy
admin street: redacted for privacy
admin city: redacted for privacy
admin state/province: redacted for privacy
admin postal code: redacted for privacy
admin country: redacted for privacy
admin phone: redacted for privacy
admin fax: redacted for privacy
admin email: please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name.
registry tech id: redacted for privacy
tech name: redacted for privacy
tech organization: redacted for privacy
tech street: redacted for privacy
tech city: redacted for privacy
tech state/province: redacted for privacy
tech postal code: redacted for privacy
tech country: redacted for privacy
tech phone: redacted for privacy
tech fax: redacted for privacy
tech email: please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name.
registry billing id: redacted for privacy
billing name: redacted for privacy
billing organization: redacted for privacy
billing street: redacted for privacy
billing city: redacted for privacy
billing state/province: redacted for privacy
billing postal code: redacted for privacy
billing country: redacted for privacy
billing phone: redacted for privacy
billing fax: redacted for privacy
billing email: please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name.
name server: dns1.registrar-servers.com
name server: dns2.registrar-servers.com
dnssec: unsigned
url of the icann rdds inaccuracy complaint form: https://www.icann.org/wicf/
for more information on domain status codes, please visit https://icann.org/epp
Get PDNS data
Perform an rrset query on the Farsight DNSDB for a domain:
> inet:fqdn=domaintools.com | domaintools.pdns --size 2 --yield
inet:dns:ns=('domaintools.com', 'dns1.p04.nsone.net')
.created = 2024/04/25 15:15:07.432
.seen = ('2020/08/05 22:51:16.000', '2023/03/04 22:50:20.000')
:ns = dns1.p04.nsone.net
:zone = domaintools.com
inet:dns:ns=('domaintools.com', 'dns2.p04.nsone.net')
.created = 2024/04/25 15:15:07.465
.seen = ('2020/08/05 22:51:16.000', '2023/03/04 22:50:20.000')
:ns = dns2.p04.nsone.net
:zone = domaintools.com
inet:dns:ns=('domaintools.com', 'dns3.p04.nsone.net')
.created = 2024/04/25 15:15:07.494
.seen = ('2020/08/05 22:51:16.000', '2023/03/04 22:50:20.000')
:ns = dns3.p04.nsone.net
:zone = domaintools.com
inet:dns:ns=('domaintools.com', 'dns4.p04.nsone.net')
.created = 2024/04/25 15:15:07.524
.seen = ('2020/08/05 22:51:16.000', '2023/03/04 22:50:20.000')
:ns = dns4.p04.nsone.net
:zone = domaintools.com
inet:dns:ns=('domaintools.com', 'ns1.dns.com')
.created = 2024/04/25 15:15:07.570
.seen = ('2010/07/17 16:09:47.000', '2010/08/31 16:10:09.000')
:ns = ns1.dns.com
:zone = domaintools.com
inet:dns:ns=('domaintools.com', 'ns2.dns.com')
.created = 2024/04/25 15:15:07.600
.seen = ('2010/07/17 16:09:47.000', '2010/08/31 16:10:09.000')
:ns = ns2.dns.com
:zone = domaintools.com
inet:dns:ns=('domaintools.com', 'ns3.dns.com')
.created = 2024/04/25 15:15:07.631
.seen = ('2010/07/17 16:09:47.000', '2010/08/31 16:10:09.000')
:ns = ns3.dns.com
:zone = domaintools.com
inet:dns:ns=('domaintools.com', 'ns4.dns.com')
.created = 2024/04/25 15:15:07.662
.seen = ('2010/07/17 16:09:47.000', '2010/08/31 16:10:09.000')
:ns = ns4.dns.com
:zone = domaintools.com
DomainTools Farsight: Result limit reached
Perform an rdata query on the Farsight DNSDB for a domain:
> inet:fqdn=domaintools.com | domaintools.pdns --size 5 --yield --rdata
inet:dns:cname=('dmaintools.com', 'domaintools.com')
.created = 2024/04/25 15:15:10.668
.seen = ('2011/05/14 19:47:05.000', '2012/07/30 18:47:59.000')
:cname = domaintools.com
:fqdn = dmaintools.com
inet:dns:cname=('go.dmaintools.com', 'domaintools.com')
.created = 2024/04/25 15:15:10.713
.seen = ('2012/07/30 18:48:16.000', '2012/08/06 18:49:37.000')
:cname = domaintools.com
:fqdn = go.dmaintools.com
inet:dns:cname=('www.dmaintools.com', 'domaintools.com')
.created = 2024/04/25 15:15:10.758
.seen = ('2011/08/24 22:03:54.000', '2012/08/07 23:59:32.000')
:cname = domaintools.com
:fqdn = www.dmaintools.com
inet:dns:cname=('howis.dmaintools.com', 'domaintools.com')
.created = 2024/04/25 15:15:10.806
.seen = ('2011/08/03 09:16:02.000', '2011/10/12 22:57:51.000')
:cname = domaintools.com
:fqdn = howis.dmaintools.com
inet:dns:cname=('whois.dmaintools.com', 'domaintools.com')
.created = 2024/04/25 15:15:10.849
.seen = ('2011/03/12 05:31:08.000', '2012/08/10 05:11:11.000')
:cname = domaintools.com
:fqdn = whois.dmaintools.com
DomainTools Farsight: Result limit reached
Perform an rdata query on the Farsight DNSDB for an IP:
> inet:ipv4=104.244.13.104 | domaintools.pdns --size 5 --yield
inet:dns:a=('fsi.io', '104.244.13.104')
.created = 2024/04/25 15:15:13.865
.seen = ('2015/04/07 19:04:25.000', '2018/09/27 02:08:30.000')
:fqdn = fsi.io
:ipv4 = 104.244.13.104
inet:dns:a=('www.fsi.io', '104.244.13.104')
.created = 2024/04/25 15:15:13.910
.seen = ('2015/06/07 06:13:14.000', '2018/09/26 23:53:37.000')
:fqdn = www.fsi.io
:ipv4 = 104.244.13.104
inet:dns:a=('olddocs.fsi.io', '104.244.13.104')
.created = 2024/04/25 15:15:13.953
.seen = ('2015/06/09 10:30:06.000', '2018/08/24 21:52:01.000')
:fqdn = olddocs.fsi.io
:ipv4 = 104.244.13.104
inet:dns:a=('fastrpz.com', '104.244.13.104')
.created = 2024/04/25 15:15:14.000
.seen = ('2016/11/04 16:04:00.000', '2018/09/26 12:50:40.000')
:fqdn = fastrpz.com
:ipv4 = 104.244.13.104
inet:dns:a=('www.fastrpz.com', '104.244.13.104')
.created = 2024/04/25 15:15:14.043
.seen = ('2016/11/07 17:58:07.000', '2018/08/24 21:52:01.000')
:fqdn = www.fastrpz.com
:ipv4 = 104.244.13.104
DomainTools Farsight: Result limit reached
Use of meta:source nodes
Synapse-DomainTools uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the DomainTools API.
> meta:source=9b243914666ac4d4ae5e253eddcc584d
meta:source=9b243914666ac4d4ae5e253eddcc584d
.created = 2024/04/25 15:15:01.446
:name = domaintools api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-DomainTools. The following example shows how to filter the results of a query to include only results observed by Synapse-DomainTools:
> inet:fqdn=vertex.link -> inet:dns:a +{ <(seen)- meta:source=9b243914666ac4d4ae5e253eddcc584d }
inet:dns:a=('vertex.link', '137.184.16.9')
.created = 2024/04/25 15:15:01.977
:fqdn = vertex.link
:ipv4 = 137.184.16.9