This is what Mike told me to add.

WHOIS Information for a Domain

This API method returns the WHOIS information for the specified email address(es), nameserver(s) and domains. You can also search by multiple email addresses or multiple nameservers.

This documentation outlines the following API endpoints: Email (single and multiple) Domain Record (current and historical) and Nameserver (single and multiple).

In some instances, WHOIS information can be irregular as there are no standards between domain registrars and large volumes of information can be returned from a query. As such, both the email and nameserver WHOIS endpoints have a limit of 500 results, which you can limit to a smaller set of results.
There is also an 'offset' parameter that can be leveraged to retrieve the entire set of domain entries for a given email without any limitation. Only the email parameter supports this.
The email parameter can also be sorted by sort the entries based on the time stamp field.

If a domain, email or nameserver has no known WHOIS information, HTTP 404 is returned. If a domain, email or nameserver does not exist, HTTP 404 will also be returned.

WHOIS – Single Email Address

The WHOIS email endpoint (/whois/emails/) will return the email address or addresses of the registrar for the domain or domains that are looked up. The results include the total number of results for domains registered by this email address and a list of the first 500 (by default) domains associated with this email. You may wish to pivot on this API email to find other malicious domains registered by the same email. This endpoint is limited to a maximum of 500 results, which are the first 500 gathered from the database, but the limit can be reduced using the url-param limit, described in this section. Please note thate several of the sample returns from these query have been truncated due to length.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/emails/dns-admin@google.com"

Parameter for input

Field
Type
Description

email

string

Email address following rfc5322 conventions.

Returned value for output if Success 200

Field
Type
Description

totalResults

integer

Total number of results for this email.

moreDataAvailable

boolean

Whether or not there are more than 500 results for this email, either yes or no.

limit

integer

Total number of results for this page of results, default 500.

domains

array of strings

Domains registered by this email and whether the domain is current, meaning currently registered by this email address.

GET https://investigate.api.umbrella.com/whois/email
REQUEST
curl -H "Authorization: Bearer %YourToken%" \
 "https://investigate.api.umbrella.com/whois/emails/{email}"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "dns-admin@google.com": {
    "totalResults": 500,
    "moreDataAvailable": true,
    "limit": 500,
    "domains": [
      {
        "domain": "0emm.com",
        "current": true
      },
      {
        "domain": "10tothe100.net",
        "current": true
      },
      {
        "domain": "youtubube.com",
        "current": true
      },
      {
        "domain": "zagat.net",
        "current": true
      },
      {
        "domain": "zagatnyc.com",
        "current": true
      },
      {
        "domain": "zavers.com",
        "current": true
      }
    ]
  }
}
    

WHOIS – Multiple Email Addresses

To search by multiple emails, you must set the url-param emailList to a comma-delimited-list.

The parameters for input and the returned values are the same as for a single email, but with multiple arrays of domains returned.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/emails?emailList=dns-admin@google.com,hostmaster@charter.com"
GET https://investigate.api.umbrella.com/whois/email, email
REQUEST
curl -H "Authorization: Bearer %YourToken%" \
 "https://investigate.api.umbrella.com/whois/emails?emailList={email},{email}"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "admin@google.com": {
    "totalResults": 500,
    "moreDataAvailable": true,
    "limit": 500,
    "domains": [
      {
        "domain": "0emm.com",
        "current": true
      },
      {
        "domain": "10tothe100.net",
        "current": true
      },
      {
        "domain": "2clk.org",
        "current": true
      },
      {
        "domain": "zagat.net",
        "current": true
      },
      {
        "domain": "zagatnyc.com",
        "current": true
      },
      {
        "domain": "zavers.com",
        "current": true
      }
    ]
  },
  "hostmaster@charter.com": {
    "totalResults": 447,
    "moreDataAvailable": true,
    "limit": 500,
    "domains": [
      {
        "domain": "60for55.com",
        "current": true
      },
      {
        "domain": "alltogethernow.net",
        "current": true
      },
      {
        "domain": "autosoncharter.com",
        "current": true
      },
      {
        "domain": "yowzadeals.com",
        "current": true
      }
    ]
  }
}
    

WHOIS – Email Address Limits

To limit or expand the number of results for the emails endpoint, set the url-param limit. Default value is 500. The example is to limit multiple email addresses; for a single email just add ?limit= to the end of the query.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/emails?emailList=dns-admin@google.com,hostmaster@charter.com&limit=2"
GET https://investigate.api.umbrella.com/whois/email, email
REQUEST
curl -H "Authorization: Bearer %YourToken%"  \
 "https://investigate.api.umbrella.com/whois/emails?emailList={email},{email}&limit=2"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "dns-admin@google.com": {
    "totalResults": 2,
    "moreDataAvailable": true,
    "limit": 2,
    "domains": [
      {
        "domain": "googletisp.com",
        "current": true
      },
      {
        "domain": "pushlife.org",
        "current": true
      }
    ]
  },
  "hostmaster@charter.com": {
    "totalResults": 2,
    "moreDataAvailable": true,
    "limit": 2,
    "domains": [
      {
        "domain": "charter-internet.com",
        "current": true
      },
      {
        "domain": "charterliveit.org",
        "current": true
      }
    ]
  }
}
    

WHOIS – Email offset for pagination beyond 500 results

For paging with offset for domains with more than 500 results, set the url-param limit. Default value is 10.

This endpoint behaves slightly differently when using offset parameter is specified because of duplicate domains present in the WHOIS data. The API will return only unique domains per page. If you want domains 500-1000, you'll likely get back less than 500 results (as below) because of duplicates within that page.

You can expect to see duplicates from page to page. For example, a domain may appear in the set from 0-500 and then again from in the set from 1000-1500.

The 'moreDataAvailable' field will set to false once the offset+limit exceeds the total number of results available. For the example email used below, there are ~4800 domains associated, so moreDataAvailable will become false when offset=4500. To grab all 4800 emails, simply make a request to the emails endpoint and increment the offset by 500 each time until moreDataAvailable becomes false. You can also specify an offset with multiple emails, and you can specify a limit in addition to the offset if needed.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/emails/yingw90@yahoo.com?offset=500

Result:

GET https://investigate.api.umbrella.com/whois/email
REQUEST
curl -H "Authorization: Bearer %YourToken%"  \
 "https://investigate.api.umbrella.com/whois/emails/{email}?offset=500"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
    "yingw90@yahoo.com": {
        "totalResults": 4800,
        "offset": 500,
        "moreDataAvailable": true,
        "limit": 500,
        "sortField": "domain name [default]",
        "domains": [{
            "domain": "394iopwekmcopw.com",
            "current": true
        }, {
            "domain": "a4egjph0jy.us",
            "current": false
        },
        .
        .
        .
        {
            "domain": "zvfietzdpzhutj.com",
            "current": true
        }, {
            "domain": "zyoz6g1hrf.com",
            "current": true
        }]

    },
}
    

WHOIS – Sorting domains associated with email based on timestamp

To sort the list of domains based on timestamp, set the optional url-param 'sortField'. By default, domains are simply sorted by name in alphabetical order.

Possible values for "sortField" are: "created", "updated", and "expired", each of which sorts from the most recent date for the value of the WHOIS entry.

Any other value provided to this parameter will return results sorted by domainName by default.

NOTE: A Sort combined with an offset returns a significantly less number of results per page due to the changed order in which domains are being returned, but the overall set of domains still contains all the domains associated with the given email.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/emails/yingw90@gmail.com?sort=created
GET https://investigate.api.umbrella.com/whois/email
REQUEST
curl -H "Authorization: Bearer %YourToken%"  \
 "https://investigate.api.umbrella.com/whois/emails/{email}?sort=created"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
    "yingw90@yahoo.com": {
        "totalResults": 500,
        "offset": 0,
        "moreDataAvailable": true,
        "limit": 500,
        "sortField":"created",
        "domains": [{
            "domain": "checkthisout.pro",
            "current": true
        }, {
            "domain": "zzsqluwqmgjbjfjow.com'",
            "current": false
        },
        .
        .
        .
        {
            "domain": "xenzaveersonu.com",
            "current": true
        }, {
            "domain": "wxnmvprmhk72.com",
            "current": true
        }]

    },
}
    

WHOIS – Searching by Nameserver

The Nameserver endpoint (/whois/nameservers/) allows you to search a nameserver to find all domains registered by that nameserver. You can search against a single nameserver or multiple nameservers in a query.

As a nameserver can potentially register hundreds or thousands of domains, the results are limited to 500 maximum results.

Sample query for a single nameserver:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/nameservers/ns2.google.com"

Parameter for input

Field
Type
Description

nameserver

string

Nameserver’s domain name.

Returned value for output if Success 200

totalResults

integer

Total number of domains registered for this nameserver.

moreDataAvailable

boolean

Whether or not there are more than 500 results for this nameserver.

limit

integer

Total number of results for this page of results, default 500.

domains

array of strings

Domains registered by this nameserver.

GET https://investigate.api.umbrella.com/whois/nameservers
REQUEST
curl -H "Authorization: Bearer %YourToken%"  \
 "https://investigate.api.umbrella.com/whois/nameservers/nameserver"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "ns2.google.com": {
    "totalResults": 500,
    "moreDataAvailable": true,
    "limit": 500,
    "domains": [
      {
        "domain": "46645.biz",
        "current": true
      },
      {
        "domain": "800google411.net",
        "current": true
      },
      {
        "domain": "zagatnyc.com",
        "current": true
      },
      {
        "domain": "zavers.com",
        "current": true
      }
    ]
  }
}
    

WHOIS – Searching by Multiple Nameservers

To search by multiple nameservers, you must set the url-param nameServerList to a comma-delimited list, for instance: /whois/nameservers?nameServerList=ns1.google.com,ns2.google.com

The parameters for input and the returned values are the same as for a single nameserver, but with multiple arrays of domains returned.

Sample query for a multiple nameservers:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/nameservers?nameServerList=ns1.google.com,ns2.google.com"
GET https://investigate.api.umbrella.com/whois/nameserver,nameserver
REQUEST
curl -H "Authorization: Bearer %YourToken%"  \
 "https://investigate.api.umbrella.com/whois/nameservers?nameServerList=nameserver,nameserver"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "ns1.google.com": {
    "totalResults": 500,
    "moreDataAvailable": true,
    "limit": 500,
    "domains": [
      {
        "domain": "46645.biz",
        "current": true
      },
      {
        "domain": "800google411.net",
        "current": true
      },
      {
        "domain": "zagatnyc.com",
        "current": true
      },
      {
        "domain": "zavers.com",
        "current": true
      }
    ]
  },
  "ns2.google.com": {
    "totalResults": 500,
    "moreDataAvailable": true,
    "limit": 500,
    "domains": [
      {
        "domain": "46645.biz",
        "current": true
      },
      {
        "domain": "800google411.net",
        "current": true
      },
      {
        "domain": "about-google.com",
        "current": true
      },
      {
        "domain": "zagatnyc.com",
        "current": true
      },
      {
        "domain": "zavers.com",
        "current": true
      }
    ]
  }
}
    

WHOIS - Search by Nameserver: Limits

To limit or expand the number of domains returned for each nameserver searched, set the url-param limit. The default value is 500. The example is to limit multiple nameservers; for a single nameserver just add ?limit= to the end of the query.

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/nameservers?nameServerList=ns1.google.com,ns2.google.com&limit=2"
GET https://investigate.api.umbrella.com/whois/nameservers/?nameServerList=nameserver,nameserver
REQUEST
curl -H "Authorization: Bearer %YourToken%"  \
 "https://investigate.api.umbrella.com/whois/nameservers/?nameServerList={nameserver},{nameserver}&limit=2"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "ns1.google.com": {
    "totalResults": 2,
    "moreDataAvailable": true,
    "limit": 2,
    "domains": [
      {
        "domain": "googletisp.com",
        "current": true
      },
      {
        "domain": "pushlife.org",
        "current": true
      }
    ]
  },
  "ns2.google.com": {
    "totalResults": 2,
    "moreDataAvailable": true,
    "limit": 2,
    "domains": [
      {
        "domain": "googletisp.com",
        "current": true
      },
      {
        "domain": "pushlife.org",
        "current": true
      }
    ]
  }
}
    

WHOIS – Single Domain Record and Domain History

The domain endpoint (/whois/domain.com) will provide a standard WHOIS response record for a single domain with all available WHOIS data returned in an array. The exact information display will vary depending on registrant.

To return any available historical records for the domain, add /history/ to the end query after the domain. The limit for history defaults to 10 but can be limited with the url-param limit. For example: /history?limit=2

You can also return the raw output of the DNS record (this is the same information as the "Raw Data" in the UI) by appending /raw/ to the query string. For example: /whois/google.com/raw

Sample query:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/google.com"

Sample query for domain history:

curl -H "Authorization: Bearer %YourToken%" "https://investigate.api.umbrella.com/whois/5esb.biz/history?limit=2"

Parameter for input

Field
Type
Description

domain

string

Domain name without wildcards and including TLD.

Returned value for output if Success 200

Field
Type
Description

domain

array of strings

Array of WHOIS results for the domain provided with all available information.

GET https://investigate.api.umbrella.com/whois/domain
REQUEST
curl -H "Authorization: Bearer %YourToken%" \
 "https://investigate.api.umbrella.com/whois/{domain}"
    
RESPONSE (HTTP 200, Content-Type: application/json)
{
  "administrativeContactFax": null,
  "whoisServers": null,
  "addresses": [
    "1600 amphitheatre parkway",
    "please contact contact-admin@google.com, 1600 amphitheatre parkway",
    "2400 e. bayshore pkwy"
  ],
  "administrativeContactName": "DNS Admin",
  "zoneContactEmail": null,
  "billingContactFax": null,
  "administrativeContactTelephoneExt": "",
  "administrativeContactEmail": "dns-admin@google.com",
  "technicalContactEmail": "dns-admin@google.com",
  "technicalContactFax": "16506181499",
  "nameServers": [
    "ns1.google.com",
    "ns2.google.com",
    "ns3.google.com",
    "ns4.google.com"
  ],
  "zoneContactName": "",
  "billingContactPostalCode": "",
  "zoneContactFax": "",
  "registrantTelephoneExt": "",
  "zoneContactFaxExt": "",
  "technicalContactTelephoneExt": "",
  "billingContactCity": "",
  "zoneContactStreet": [],
  "created": null,
  "administrativeContactCity": "Mountain View",
  "registrantName": "Dns Admin",
  "zoneContactCity": "",
  "domainName": "google.com",
  "zoneContactPostalCode": "",
  "administrativeContactFaxExt": "",
  "technicalContactCountry": "UNITED STATES",
  "registrarIANAID": "292",
  "updated": "2011-07-20 00:00:00 UTC",
  "administrativeContactStreet": [
    "1600 amphitheatre parkway"
  ],
  "billingContactEmail": "",
  "status": [
    "clientDeleteProhibited",
    "clientTransferProhibited",
    "clientUpdateProhibited",
    "serverDeleteProhibited",
    "serverTransferProhibited",
    "serverUpdateProhibited"
  ],
  "registrantCity": "Mountain View",
  "billingContactCountry": "",
  "expires": "2020-09-14 00:00:00 UTC",
  "technicalContactStreet": [
    "2400 e. bayshore pkwy"
  ],
  "registrantOrganization": "Google Inc.",
  "billingContactStreet": [],
  "registrarName": "MARKMONITOR INC.",
  "registrantPostalCode": "94043",
  "zoneContactTelephone": "",
  "registrantEmail": "dns-admin@google.com",
  "technicalContactFaxExt": "",
  "technicalContactOrganization": "Google Inc.",
  "emails": [
    "dns-admin@google.com"
  ],
  "registrantStreet": [
    "please contact contact-admin@google.com, 1600 amphitheatre parkway"
  ],
  "technicalContactTelephone": "16503300100",
  "technicalContactState": "CA",
  "technicalContactCity": "Mountain View",
  "registrantFax": "16506188571",
  "registrantCountry": "UNITED STATES",
  "billingContactFaxExt": "",
  "timestamp": null,
  "zoneContactOrganization": "",
  "administrativeContactCountry": "UNITED STATES",
  "billingContactName": "",
  "registrantState": "CA",
  "registrantTelephone": "16502530000",
  "administrativeContactState": "CA",
  "registrantFaxExt": "",
  "technicalContactPostalCode": "94043",
  "rawBase64": null,
  "zoneContactTelephoneExt": "",
  "administrativeContactOrganization": "Google Inc.",
  "billingContactTelephone": "",
  "billingContactTelephoneExt": "",
  "zoneContactState": "",
  "administrativeContactTelephone": "16506234000",
  "billingContactOrganization": "",
  "technicalContactName": "DNS Admin",
  "administrativeContactPostalCode": "94043",
  "zoneContactCountry": "",
  "billingContactState": ""
}
    

WHOIS Information for a Domain