Umbrella Investigate Rest API

This is what Mike told me to add.

DNS RR History for an IP Address

The DNS database can be used to query the history that Umbrella has seen for a given IP address.

The most common use case is to obtain the DNS Resource Record (RR) history for a given IP, passing in the record query type as a parameter, to help build intelligence around an IP or a range of IPs. The information provided is from within the last 90 days.

This API method can be used to get RR (Resource Record) history for a given IP address, passing in the resource record type (A, MX, etc) as a parameter. This API method returns the history of records that mapped to an IP's servers. Queries against name servers should be specified as an IP address. The input must be specified as IP addresses.

If there is CNAME record for the domain, it will be returned regardless of the query type that you look for. This makes sense because CNAME will apply to every record type.

To return the domains that the IP is a name server for, specify the DNS query type as NS.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/dnsdb/ip/a/93.184.216.119.json"

Parameter for input

Field
Type
Description

type

string

IP DNS resource record type (A, NS are supported)

ip

string

IP Address

Returned value for output if Success 200

Response Class:
Resource Records

Field
Type
Description

rr

string

Resource record owner.

ttl

integer

Time to live for this record.

class

string

DNS class type.

type

string

Query type.

name

string

The looked up IP address.

Response Class:
Features

Field
Type
Description

rr_count

integer

Number of records of that type mapping to the given IP.

ld2_count

integer

Number of 2-level names mapping to the given IP (for www.example.com, this considers example.com).

ld3_count

integer

Number of 3-level names mapping to the given IP (for www.example.com, this considers www.example.com).

ld2_1_count

integer

Number of 2-level names, without the TLD, mapping to the given IP (for www.example.com, this considers example).

ld2_2_count

integer

Number of 3-level names, without the TLD, mapping to a given IP (for www.example.com, this considers www.example).

div_ld2

float

ld2_count divided by the number of records

div_ld3

float

ld3_count divided by the number of records.

div_ld2_1

float

ld2_1_count divided by the number of records.

div_ld2_2

float

ld2_2_count divided by the number of records.

GET https://investigate.api.umbrella.com/dnsdb/ip/type/ip.json
REQUEST
curl --include \
     --header "Authorization: Bearer %YourToken%" \
https://investigate.api.umbrella.com/dnsdb/ip/{type}/{ip}.json
RESPONSE (HTTP 200, Content-Type: application/json) 
{
  "rrs": [
    {
      "rr": "www.example.com.",
      "ttl": 86400,
      "class": "IN",
      "type": "A",
      "name": "93.184.216.119"
    },
    {
      "rr": "www.example.net.",
      "ttl": 86400,
      "class": "IN",
      "type": "A",
      "name": "93.184.216.119"
    },
    {
      "rr": "www.example.org.",
      "ttl": 86400,
      "class": "IN",
      "type": "A",
      "name": "93.184.216.119"
    },
    {
      "rr": "examplewww.vip.icann.org.",
      "ttl": 30,
      "class": "IN",
      "type": "A",
      "name": "93.184.216.119"
    }
  ],
  "features": {
    "rr_count": 19,
    "ld2_count": 10,
    "ld3_count": 14,
    "ld2_1_count": 7,
    "ld2_2_count": 11,
    "div_ld2": 0.5263157894736842,
    "div_ld3": 0.7368421052631579,
    "div_ld2_1": 0.3684210526315789,
    "div_ld2_2": 0.5789473684210527
  }
}

DNS RR History for a Type and Domain Name < DNS RR History for an IP Address > AS Information for a Domain

DNS RR History for an IP Address