WhoisXML API

Organization
Focus	Internet intelligence
Country
Founded	2010
Founders	Jonathan Zhang
Websites	whoisxmlapi.com

WHOIS API, Inc, doing business under the brand name WhoisXML API^[1], is an OEM data provider specializing in delivering large datasets of normalized WHOIS, IP, and DNS intelligence, along with other specialized Internet intelligence sources, such as predictive threat intelligence, website categorization, IP geolocation, and email verification.

WhoisXML API Internet infrastructure intelligence data is used to build cybersecurity platforms, strengthen security services, and make cybersecurity processes and pipelines more meaningful and contextualized. Over 52,000 companies rely on WhoisXML API’s products, with its clients comprising Fortune 500 companies, security and technology solutions providers in the Cyber 150 list, and government organizations.

WhoisXML API has been aggregating Internet intelligence data for more than 15 years and has since accumulated hundreds of billions of data points—including 23.8 billion+ historical WHOIS records, 116 billion+ DNS records, and the IP records of 10.5 million+ netblocks^[2].

To accumulate data in these repositories, WhoisXML API has established long-term partnerships with major data aggregators worldwide, including domain registries, registrars, ISPs, ICANN^[3], and security agencies.

WhoisXML API was founded in 2010 after its CEO and founder, Jonathan Zhang, worked on a network security project that required access to structured WHOIS data. Zhang’s struggle to find a unified and readily integrable data source led to the idea of creating a company that would help organizations with that business problem.

WhoisXML API’s overarching goal is to make the Internet safer and more transparent. The company does that by providing comprehensive and in-depth cyber intelligence.

WhoisXML API has consistently been recognized as one of the fastest-growing companies by the Financial Times in 2022^[4], 2023^[5], 2024^[6], and 2025^[7] and by Inc. 5000^[8] for seven years.

WhoisXML API offers various products and services through different consumption models—APIs, data feeds, and web-based GUIs. Below is a list of the WhoisXML API products  as of 7 July 2025.

Type	Domain/WHOIS	DNS/IP	Other Internet Intelligence
APIs	WHOIS API Bulk WHOIS API Reverse WHOIS API WHOIS History API Domains & Subdomains Discovery API Domain Availability API	DNS Chronicle API DNS Lookup API Reverse IP API Reverse MX API Reverse NS API Reverse DNS API Subdomains Lookup API IP Geolocation API IP Netblocks API	Website Categorization API Domain Reputation API Brand Alert API Registrant Alert API Email Verification API Threat Intelligence API MAC Address API Screenshot API SSL Certificates API
Data Feeds	WHOIS Database Download WHOIS History Database Download Newly Registered Domains Real-time Domain Registration	DNS Database Download Subdomains Database Download IP Geolocation Database Download IP Netblocks WHOIS Database Regulatory Compliance IP Geolocation Data Feeds	Early DGA Detection Data Feed Early Warning Phishing Data Feed First Watch Malicious Domains Data Feed Typosquatting Data Feed Threat Intelligence Data Feeds Disposable Email Domains Database Free Email Domains Database Website Categorization Database MAC Address Vendor Database SSL Certificates Database Real-time SSL Certificates Streaming
Web Tools	WHOIS Lookup Domain Age Checker Bulk WHOIS Lookup Reverse WHOIS Lookup WHOIS History Lookup Domains & Subdomains Discovery Lookup Domain Availability Lookup	DNS Chronicle Lookup DNS Lookup TXT Record Lookup MX Record Lookup CNAME Record Lookup Reverse IP Lookup Reverse MX Lookup Reverse NS Lookup Reverse DNS Lookup Subdomains Lookup IP Geolocation Lookup Bulk IP Geolocation Lookup IP Netblocks Lookup	Website Categorization Lookup Domain Reputation Lookup Brand Alert Lookup Registrant Alert Lookup Email Verification Lookup Bulk Email Verification Lookup Threat Intelligence Lookup MAC Address Lookup Screenshot Lookup SSL Certificates Lookup

WhoisXML API provides current and historical domain registration data aggregated using WHOIS and the new RDAP^[9] protocol. This data includes details about the registrant, administrative and technical contacts, registration and expiration dates, nameservers, and the registrar responsible for the domain.

WhoisXML API domain data is used by digital forensics and incident response teams to uncover connections to malicious campaigns and manage attack surfaces by screening domain ownership. It helps identify discrepancies in customers’ WHOIS information, protecting against identity theft and fraud. The data also supports brand protection by detecting cybersquatting and trademark infringement and contributes to due diligence in third-party monitoring.

WhoisXML API offers active DNS services and states that it has the most extensive passive DNS database in the market, comprising more than 50 types^[10] of DNS records, including A and AAAA records, MX records, NS records, TXT records, and SOA records.

Clients use WhoisXML API’s DNS data to understand their DNS configurations and identify vulnerabilities, such as exploitable dangling records. Cyber investigators pivot off DNS lookup responses to add more context to their investigations.

The company’s passive DNS data enables organizations to accelerate threat detection and response by analyzing historical DNS records for malware and threat patterns. It allows for continuous monitoring of threat actors' DNS footprints, exposing their malicious infrastructure and tactics, techniques and procedures (TTPs).

WhoisXML API provides comprehensive IP intelligence to clients seeking detailed context for any IP address. Their products offer IP geolocation data, including the IP address’ city, country, and latitude and longitude information. It also includes ASN information and IP netblock ownership details.

The data helps build attacker profiles, identify cybercriminal hotspots, and prevent fraud by verifying user locations during transactions. It also enables precise geotargeting and content personalization for marketing professionals.

WhoisXML API offers a variety of tactical Threat Intelligence Data Feeds that list malicious indicators involved in cyberattacks, phishing, botnets, malware, command-and-control (C&C) servers, spam, and other suspicious activities. These feeds are categorized by threat type, updated daily, and delivered in structured formats (e.g., CSV, JSONL) for easy integration.

The company offers 10 different types of data:

• Malicious IPv4/IPv6 address data feeds
• Malicious domain name data feed
• Malicious URL data feed
• Malicious file hash data feed
• Hosts files
• Nginx ngx_http_access_module compatible IPv4/IPv6 denylists in CIDR notation
• Raw IPv4/IPv6 denylists
• Raw domain denylist
• Raw CIDR denylist
• Malicious IPv4/IPv6 ranges in CIDR notation data feeds

WhoisXML API's predictive threat intelligence relies on extensive historical domain data and advanced machine learning models to identify clusters of newly registered domains that are likely to be used for malicious purposes, such as phishing, typosquatting, malware distribution, and command-and-control (C&C) operations. Their predictive threat intelligence data feeds include:

• First Watch Malicious Domains Data Feed
• Newly Registered Domains Data Feed
• Typosquatting Data Feed
• Early DGA Detection Data Feed
• Early Warning Phishing Data Feed
• Disposable Email Domains Database

WhoisXML API datasets are available through the following data delivery models:

• APIs and lookups: APIs allow for on-demand data retrieval, where users send a specific query and receive immediate results. This delivery model is designed for applications where up-to-date information is critical, such as live fraud detection and intrusion detection/prevention systems (IDPS). Each API has a web-based lookup version that allows users to test the tool and view a sample of the API responses.

• Database or data feeds: WhoisXML API delivers large datasets, either as a complete database or as daily, weekly, or monthly data feeds. This model is ideal for use cases requiring bulk data processing, historical analysis, building extensive internal datasets, or integrating data into large-scale SIEM systems for comprehensive threat intelligence.

The Domain Research Suite (DRS): DRS^[11] is a web-based platform that integrates nine WhoisXML API tools into a single, user-friendly interface without needing to integrate APIs. It's designed for manual investigations, ad-hoc research, and monitoring by users who need quick insights and alerts without the need to write code, such as brand managers, cybersecurity analysts, or legal professionals.

WhoisXML API maintains long-term continuous partnerships with several data aggregators and cybersecurity platforms. It regularly coordinates with ICANN, contributing to the organization’s policymaking discussions in ICANN77^[12], ICANN82^[13], and ICANN83^[14].

WhoisXML API has also become an integration partner of several cybersecurity marketplaces and platforms, including Maltego^[15], OWASP Amass^[16], Snowflake^[17][18], Anomali^[19], Sumo Logic^[20], Pangea^[21], Cyware^[22], Query.AI^[23], Logpresso^[24], and Core4ce^[25]. This means that WhoisXML API’s cyber intelligence is accessible from within these platforms, provided that the user has an API key.

WhoisXML API presented a study on Global DNS trends at Europol’s 13th Operation In Our Sites (IOS) conference in April 2022^[26], where researchers found bulk-registered typosquatting domains targeting luxury brands. In 2025, WhoisXML API partnered with Global Signal Exchange (GSE)^[27] and contributed its Early Warning Phishing Feed to the project’s open data layer. WhoisXML API also joined the Internet Abuse Signal Collective (IASC)^[28], analyzing more than 50 active malware families and processing over five petabytes of DNS, WHOIS, IP, and NetFlow records.

Over the years, WhoisXML API has worked with various researchers and government agencies. Among its most notable collaborations were with:

• Darksight Analytics^[29]: The intelligence consultancy company collaborated with WhoisXML API to expose an investment fraud network. They used the Domain Research Suite to uncover connections and infrastructure used by scammers, helping to map out the malicious network.

• SIDN Labs and the Delft University of Technology^[30]: In an ICANN-supported statistical analysis of DNS abuse, researchers from these organizations combined various datasets, including WhoisXML API's WHOIS data, to identify cybercriminal behavior patterns, including specific registrar characteristics that contribute to such behaviors.

• EU DisinfoLab^[31]: The nonprofit organization leveraged historical WHOIS data to investigate a large network of fake media outlets that led to the discovery of the "Indian Chronicles," a long-running disinformation campaign.

• Lighthouse Reports^[32]: The investigative journalism collective utilized WhoisXML API's current and historical WHOIS records to identify the owners and infrastructure behind websites used for a massive surveillance operation.

• CyberPeace Institute^[33]: A researcher at CyberPeace Institute used WhoisXML API’s passive DNS database to demonstrate the ease with which threat actors can enumerate cloud assets, specifically in multitenant applications.

• University College London (UCL)^[34]: A UCL researcher investigated smishing infrastructures of thousands of domain names using automated access to WHOIS data through WHOIS API. This enabled him to identify the registrars criminals commonly abused to register smishing domains.

• DomainHunter^[35]: The threat detection system integrates the WHOIS API to identify and profile potentially malicious domains by extracting detailed registration data. This enabled DomainHunter to create in-depth threat profiles of suspicious domains that include context on domain age, ownership, and hosting infrastructure.

• NCPTF^[36]: WhoisXML API supported the Missing Child Rescue Operation in Northeast Florida by supplying critical data points that aided in the efforts to locate missing children.

• WhoisXML API
• Inc.com
• EIN Newswires
• CircleID
• SecNews
• Bloomberg