This is what Mike told me to add.

DNS RR History for a Type and Domain Name

The DNS database can be used to query the history that Umbrella has seen for a given domain.

The most common use case is to obtain the RRs (Resource Record) history for a given domain, passing in the record query type as a parameter, to help build intelligence around an domain. This API method returns the history of a DNS resource record for a given name, such as the list of IP addresses that a name maps to, and used to map to. The information provided is from within the last 90 days.

To gather a list of the nameservers for a domain, specify the DNS query type as NS. The list of nameservers for a domain gathered by this list may differ from the the list of nameservers gathered from the WHOIS data because the information here is dynamically gathered from DNS query data.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/dnsdb/name/a/example.com.json"

Parameter for input

Field
Type
Description

type

string

DNS record query type (A, NS, MX, TXT and CNAME are supported).

name

string

Domain name.

Returned value for output if Success 200

Response Class:
Resource Records

Field
Type
Description

first_seen

string

Date when the domain was first seen to our DNS database.

last_seen

string

Date when domain was last seen in our DNS database.

name

string

Name of the domain.

ttl

integer

Name of the domain.

class

string

DNS class type.

type

string

Query type.

rr

string

Resource record IP for the domain.

Response Class:
Features

Field
Type
Description

age

integer

The day in days between now and the last request for this domain. This value is only useful if present. A low score helps isolate attack domains that are short-lived.

ttls_min

integer

Minimum amount of time set that DNS records should be cached

ttls_max

integer

Maximum amount of time set that DNS records should be cached.

ttls_mean

float

Average amount of time set that DNS records should be cached.

ttls_median

float

Median amount of time set that DNS records should be cached.

ttls_stddev

float

Standard deviation of the amount of time set that DNS records should be cached.

country_codes

array

List of country codes (ex: US, FR, TW) for the IPs the name maps to.

country_count

integer

Number of countries the IPs are hosted in.

asns

array

List of ASN numbers the IPs are in.

asns_count

integer

Number of ASNs the IPs map to.

prefixes

array

List of network prefixes the IPs map to.

prefixes_count

float

Number of network prefixes the IPs map to.

rips

integer

Number of IPs seen for the domain name.

div_rips

float

The number of prefixes over the number of IPs.

locations

array

List of geo coordinates (WGS84 datum, decimal format) the IPs are mapping to.

locations_count

integer

Number of distinct geo coordinates the IPs are mapping to.

geo_distance_sum

float

Minimum sum of distance between locations, in kilometers.

geo_distance_mean

float

Mean distance between the geo median and each location, in kilometers.

non_routable

boolean

If one of the IPs is in a reserved, non-routable IP range.

mail_exchanger

boolean

If an MX query for this domain name has been seen.

cname

boolean

Returns true if a CNAME record has been seen for this domain name.

ff_candidate

boolean

If the domain name looks like a candidate for fast flux. This does not necessarily mean the domain is in fast flux, but rather that the IP address the domain resolves to changes rapidly (or has changed rapidly).

rips_stability

float

1.0 divided by the number of times the set of IP addresses changed.

base_domain

string

The base domain of the requested domain.

is_subdomain

boolean

Returns true if the requested domain is a subdomain of another.

GET https://investigate.api.umbrella.com/dnsdb/name/type/name.json
REQUEST
curl --include \
     --header "Authorization: Bearer %YourToken%" \
https://investigate.api.umbrella.com/dnsdb/name/{type}/{name}.json
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "rrs_tf": [
    {
      "first_seen": "2013-07-31",
      "last_seen": "2013-10-17",
      "rrs": [
        {
          "name": "example.com.",
          "ttl": 86400,
          "class": "IN",
          "type": "A",
          "rr": "93.184.216.119"
        }
      ]
    },
    {
      "first_seen": "2013-07-30",
      "last_seen": "2013-07-30",
      "rrs": [
        {
          "name": "example.com.",
          "ttl": 172800,
          "class": "IN",
          "type": "A",
          "rr": "192.0.43.10"
        },
        {
          "name": "example.com.",
          "ttl": 86400,
          "class": "IN",
          "type": "A",
          "rr": "93.184.216.119"
        }
      ]
    },
    {
      "first_seen": "2013-07-18",
      "last_seen": "2013-07-29",
      "rrs": [
        {
          "name": "example.com.",
          "ttl": 172800,
          "class": "IN",
          "type": "A",
          "rr": "192.0.43.10"
        }
      ]
    }
  ],
  "features": {
    "age": 91,
    "ttls_min": 86400,
    "ttls_max": 172800,
    "ttls_mean": 129600,
    "ttls_median": 129600,
    "ttls_stddev": 43200,
    "country_codes": [
      "US"
    ],
    "country_count": 1,
    "asns": [
      15133,
      40528
    ],
    "asns_count": 2,
    "prefixes": [
      "93.184.208.0",
      "192.0.43.0"
    ],
    "prefixes_count": 2,
    "rips": 2,
    "div_rips": 1,
    "locations": [
      {
        "lat": 38,
        "lon": -97
      },
      {
        "lat": 33.78659999999999,
        "lon": -118.2987
      }
    ],
    "locations_count": 2,
    "geo_distance_sum": 1970.1616237100388,
    "geo_distance_mean": 985.0808118550194,
    "non_routable": false,
    "mail_exchanger": false,
    "cname": false,
    "ff_candidate": false,
    "rips_stability": 0.5,
    "base_domain": "example.com",
    "is_subdomain": false
  }
}
    

Domain Tagging Dates for a Domain < DNS RR History for a Type and Domain Name > DNS RR History for an IP Address

DNS RR History for a Type and Domain Name