{"_id":"581a1c069d2fee0f005a2f5a","category":{"_id":"5615790d0f5ed00d00483dd5","__v":19,"pages":["5615790e0f5ed00d00483dd7","561d48e46386060d00e06003","561d48fe31d9630d001eb5bd","561d49b657165b0d00aa5d8b","561d4a879463520d00cd11e2","561d67f48ca8b90d00210234","561d6a0bf0cff80d00ca22c3","561d6c5b071cd60d000d3221","562f9c2543c5570d001fe6bd","56311c99eae7ef0d00270e3d","56311d6702aff217007dba23","56311f96f1c0580d00fac719","563120b7242cda1900198b79","5631229bf1c0580d00fac721","563131559ead230d00a188f6","563134a324014b0d00bd9a4f","5631392082d96a0d00b0fb1d","56313c584b36120d00fdebfb","5642658ef424a10d00118360"],"project":"5615790c0f5ed00d00483dd1","version":"5615790d0f5ed00d00483dd4","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-07T19:57:01.871Z","from_sync":false,"order":0,"slug":"opendns-investigate-rest-api","title":"Umbrella Investigate REST API"},"__v":0,"user":"560b40145148ba0d009bd0b5","version":{"_id":"5615790d0f5ed00d00483dd4","__v":6,"project":"5615790c0f5ed00d00483dd1","createdAt":"2015-10-07T19:57:01.307Z","releaseDate":"2015-10-07T19:57:01.307Z","categories":["5615790d0f5ed00d00483dd5","56157b2af432910d0000f9fe","56157cfb0f5ed00d00483ddb","562684d95db46b1700fd4f48","573b7ea9ef164e2900a2b8ff","582e285d8373c20f00810608"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"parentDoc":null,"project":"5615790c0f5ed00d00483dd1","updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-11-02T17:01:58.639Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"settings":"","results":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":16,"body":"This API method returns the WHOIS information for the specified email address(es), nameserver(s) and domains. You can also search by multiple email addresses or multiple nameservers.\n\nThis documentation outlines the following API endpoints: Email (single and multiple) Domain Record (current and historical) and Nameserver (single and multiple).\n\nIn some instances, WHOIS information can be irregular as there are no standards between domain registrars and large volumes of information can be returned from a query. As such, both the email and nameserver WHOIS endpoints have a limit of 500 results, which you can limit to a smaller set of results.  \nThere is also an 'offset' parameter that can be leveraged to retrieve the entire set of domain entries for a given email without any limitation. Only the email parameter supports this. \nThe email parameter can also be sorted by sort the entries based on the time stamp field. \n\nIf a domain, email or nameserver has no known WHOIS information, HTTP 404 is returned. If a domain, email or nameserver does not exist, HTTP 404 will also be returned.\n\n## WHOIS – Single Email Address ##\n\nThe WHOIS email endpoint (/whois/emails/) will return the email address or addresses of the registrar for the domain or domains that are looked up. The results include the total number of results for domains registered by this email address and a list of the first 500 (by default) domains associated with this email. You may wish to pivot on this API email to find other malicious domains registered by the same email. This endpoint is limited to a maximum of 500 results, which are the first 500 gathered from the database, but the limit can be reduced using the url-param limit, described in this section. Please note thate several of the sample returns from these query have been truncated due to length.\n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/emails/dns-admin:::at:::google.com\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n### Parameter for input ### \n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-2\": \"Email address following rfc5322 conventions.\",\n    \"0-1\": \"string\",\n    \"0-0\": \"email\"\n  },\n  \"cols\": 3,\n  \"rows\": 1\n}\n[/block]\n### Returned value for output if Success 200 ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-0\": \"totalResults\",\n    \"0-1\": \"integer\",\n    \"1-0\": \"moreDataAvailable\",\n    \"2-0\": \"limit\",\n    \"3-0\": \"domains\",\n    \"1-1\": \"boolean\",\n    \"2-1\": \"integer\",\n    \"3-1\": \"array of strings\",\n    \"0-2\": \"Total number of results for this email.\",\n    \"1-2\": \"Whether or not there are more than 500 results for this email, either yes or no.\",\n    \"2-2\": \"Total number of results for this page of results, default 500.\",\n    \"3-2\": \"Domains registered by this email and whether the domain is current, meaning currently registered by this email address.\"\n  },\n  \"cols\": 3,\n  \"rows\": 4\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/email\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\\\\n \\\"https://investigate.api.umbrella.com/whois/emails/{email}\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"dns-admin@google.com\\\": {\\n    \\\"totalResults\\\": 500,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 500,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"0emm.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"10tothe100.net\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"youtubube.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zagat.net\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zagatnyc.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zavers.com\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  }\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n## WHOIS – Multiple Email Addresses ##\n\nTo search by multiple emails, you must set the url-param emailList to a comma-delimited-list.\n\nThe parameters for input and the returned values are the same as for a single email, but with multiple arrays of domains returned.\n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/emails?emailList=dns-admin@google.com,hostmaster@charter.com\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/email, email\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\\\\n \\\"https://investigate.api.umbrella.com/whois/emails?emailList={email},{email}\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"admin@google.com\\\": {\\n    \\\"totalResults\\\": 500,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 500,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"0emm.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"10tothe100.net\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"2clk.org\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zagat.net\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zagatnyc.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zavers.com\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  },\\n  \\\"hostmaster@charter.com\\\": {\\n    \\\"totalResults\\\": 447,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 500,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"60for55.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"alltogethernow.net\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"autosoncharter.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"yowzadeals.com\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  }\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n## WHOIS – Email Address Limits ##\n\nTo limit or expand the number of results for the emails endpoint, set the url-param limit. Default value is 500. The example is to limit multiple email addresses; for a single email just add `?limit=` to the end of the query.\n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/emails?emailList=dns-admin@google.com,hostmaster@charter.com&limit=2\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/email, email\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\"  \\\\\\n \\\"https://investigate.api.umbrella.com/whois/emails?emailList={email},{email}&limit=2\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"dns-admin@google.com\\\": {\\n    \\\"totalResults\\\": 2,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 2,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"googletisp.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"pushlife.org\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  },\\n  \\\"hostmaster@charter.com\\\": {\\n    \\\"totalResults\\\": 2,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 2,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"charter-internet.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"charterliveit.org\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  }\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n## WHOIS – Email offset for pagination beyond 500 results ##\n\nFor paging with offset for domains with more than 500 results, set the url-param limit. Default value is 10.\n\nThis endpoint behaves slightly differently when using offset parameter is specified because of duplicate domains present in the WHOIS data. The API will return only unique domains per page. If you want domains 500-1000, you'll likely get back less than 500 results (as below) because of duplicates within that page. \n\nYou can expect to see duplicates from page to page. For example, a domain may appear in the set from 0-500 and then again from in the set from 1000-1500. \n\nThe 'moreDataAvailable' field will set to false once the offset+limit exceeds the total number of results available. For the example email used below, there are ~4800 domains associated, so moreDataAvailable will become false when offset=4500. To grab all 4800 emails, simply make a request to the emails endpoint and increment the offset by 500 each time until moreDataAvailable becomes false. You can also specify an offset with multiple emails, and you can specify a limit in addition to the offset if needed.\n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/emails/yingw90@yahoo.com?offset=500\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nResult:\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/email\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\"  \\\\\\n \\\"https://investigate.api.umbrella.com/whois/emails/{email}?offset=500\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n    \\\"yingw90@yahoo.com\\\": {\\n        \\\"totalResults\\\": 4800,\\n        \\\"offset\\\": 500,\\n        \\\"moreDataAvailable\\\": true,\\n        \\\"limit\\\": 500,\\n        \\\"sortField\\\": \\\"domain name [default]\\\",\\n        \\\"domains\\\": [{\\n            \\\"domain\\\": \\\"394iopwekmcopw.com\\\",\\n            \\\"current\\\": true\\n        }, {\\n            \\\"domain\\\": \\\"a4egjph0jy.us\\\",\\n            \\\"current\\\": false\\n        },\\n        .\\n        .\\n        .\\n        {\\n            \\\"domain\\\": \\\"zvfietzdpzhutj.com\\\",\\n            \\\"current\\\": true\\n        }, {\\n            \\\"domain\\\": \\\"zyoz6g1hrf.com\\\",\\n            \\\"current\\\": true\\n        }]\\n\\n    },\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n## WHOIS – Sorting domains associated with email based on timestamp ##\n\nTo sort the list of domains based on timestamp, set the optional url-param 'sortField'. By default, domains are simply sorted by name in alphabetical order.\n\nPossible values for \"sortField\" are: \"created\", \"updated\", and \"expired\", each of which sorts from the most recent date for the value of the WHOIS entry.\n\nAny other value provided to this parameter will return results sorted by domainName by default. \n\n*NOTE:* A Sort combined with an offset returns a significantly less number of results per page due to the changed order in which domains are being returned, but the overall set of domains still contains all the domains associated with the given email.\n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/emails/yingw90@gmail.com?sort=created\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/email\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\"  \\\\\\n \\\"https://investigate.api.umbrella.com/whois/emails/{email}?sort=created\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n    \\\"yingw90@yahoo.com\\\": {\\n        \\\"totalResults\\\": 500,\\n        \\\"offset\\\": 0,\\n        \\\"moreDataAvailable\\\": true,\\n        \\\"limit\\\": 500,\\n        \\\"sortField\\\":\\\"created\\\",\\n        \\\"domains\\\": [{\\n            \\\"domain\\\": \\\"checkthisout.pro\\\",\\n            \\\"current\\\": true\\n        }, {\\n            \\\"domain\\\": \\\"zzsqluwqmgjbjfjow.com'\\\",\\n            \\\"current\\\": false\\n        },\\n        .\\n        .\\n        .\\n        {\\n            \\\"domain\\\": \\\"xenzaveersonu.com\\\",\\n            \\\"current\\\": true\\n        }, {\\n            \\\"domain\\\": \\\"wxnmvprmhk72.com\\\",\\n            \\\"current\\\": true\\n        }]\\n\\n    },\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n## WHOIS – Searching by Nameserver ##\n\nThe Nameserver endpoint (/whois/nameservers/) allows you to search a nameserver to find all domains registered by that nameserver. You can search against a single nameserver or multiple nameservers in a query.\n\nAs a nameserver can potentially register hundreds or thousands of domains, the results are limited to 500 maximum results.\n\nSample query for a single nameserver:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/nameservers/ns2.google.com\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n### Parameter for input ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-2\": \"Nameserver’s domain name.\",\n    \"0-1\": \"string\",\n    \"0-0\": \"nameserver\"\n  },\n  \"cols\": 3,\n  \"rows\": 1\n}\n[/block]\n### Returned value for output if Success 200 ###\n[block:parameters]\n{\n  \"data\": {\n    \"0-0\": \"totalResults\",\n    \"1-0\": \"moreDataAvailable\",\n    \"2-0\": \"limit\",\n    \"3-0\": \"domains\",\n    \"0-1\": \"integer\",\n    \"1-1\": \"boolean\",\n    \"2-1\": \"integer\",\n    \"3-1\": \"array of strings\",\n    \"0-2\": \"Total number of domains registered for this nameserver.\",\n    \"1-2\": \"Whether or not there are more than 500 results for this nameserver.\",\n    \"2-2\": \"Total number of results for this page of results, default 500.\",\n    \"3-2\": \"Domains registered by this nameserver.\"\n  },\n  \"cols\": 3,\n  \"rows\": 4\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/nameservers\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\"  \\\\\\n \\\"https://investigate.api.umbrella.com/whois/nameservers/nameserver\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"ns2.google.com\\\": {\\n    \\\"totalResults\\\": 500,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 500,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"46645.biz\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"800google411.net\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zagatnyc.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zavers.com\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  }\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n## WHOIS – Searching by Multiple Nameservers ##\n\nTo search by multiple nameservers, you must set the url-param nameServerList to a comma-delimited list, for instance: `/whois/nameservers?nameServerList=ns1.google.com,ns2.google.com`\n\nThe parameters for input and the returned values are the same as for a single nameserver, but with multiple arrays of domains returned.\n\nSample query for a multiple nameservers:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/nameservers?nameServerList=ns1.google.com,ns2.google.com\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/nameserver,nameserver\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\"  \\\\\\n \\\"https://investigate.api.umbrella.com/whois/nameservers?nameServerList=nameserver,nameserver\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"ns1.google.com\\\": {\\n    \\\"totalResults\\\": 500,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 500,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"46645.biz\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"800google411.net\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zagatnyc.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zavers.com\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  },\\n  \\\"ns2.google.com\\\": {\\n    \\\"totalResults\\\": 500,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 500,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"46645.biz\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"800google411.net\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"about-google.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zagatnyc.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"zavers.com\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  }\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n## WHOIS - Search by Nameserver: Limits ##\n\nTo limit or expand the number of domains returned for each nameserver searched, set the url-param limit. The default value is 500. The example is to limit multiple nameservers; for a single nameserver just add `?limit=` to the end of the query.\n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/nameservers?nameServerList=ns1.google.com,ns2.google.com&limit=2\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/nameservers/?nameServerList=nameserver,nameserver\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\"  \\\\\\n \\\"https://investigate.api.umbrella.com/whois/nameservers/?nameServerList={nameserver},{nameserver}&limit=2\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"ns1.google.com\\\": {\\n    \\\"totalResults\\\": 2,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 2,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"googletisp.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"pushlife.org\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  },\\n  \\\"ns2.google.com\\\": {\\n    \\\"totalResults\\\": 2,\\n    \\\"moreDataAvailable\\\": true,\\n    \\\"limit\\\": 2,\\n    \\\"domains\\\": [\\n      {\\n        \\\"domain\\\": \\\"googletisp.com\\\",\\n        \\\"current\\\": true\\n      },\\n      {\\n        \\\"domain\\\": \\\"pushlife.org\\\",\\n        \\\"current\\\": true\\n      }\\n    ]\\n  }\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n## WHOIS – Single Domain Record and Domain History ##\n\nThe domain endpoint (/whois/domain.com) will provide a standard WHOIS response record for a single domain with all available WHOIS data returned in an array. The exact information display will vary depending on registrant.\n\nTo return any available historical records for the domain, add /history/ to the end query after the domain. The limit for history defaults to 10 but can be limited with the url-param limit. For example: `/history?limit=2`\n\nYou can also return the raw output of the DNS record (this is the same information as the \"Raw Data\" in the UI) by appending /raw/ to the query string. For example: `/whois/google.com/raw`\n\nSample query:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/google.com\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nSample query for domain history:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\"https://investigate.api.umbrella.com/whois/5esb.biz/history?limit=2\\\"\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\n### Parameter for input ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-0\": \"domain\",\n    \"0-1\": \"string\",\n    \"0-2\": \"Domain name without wildcards and including TLD.\"\n  },\n  \"cols\": 3,\n  \"rows\": 1\n}\n[/block]\n### Returned value for output if Success 200 ###\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Type\",\n    \"h-2\": \"Description\",\n    \"0-0\": \"domain\",\n    \"0-1\": \"array of strings\",\n    \"0-2\": \"Array of WHOIS results for the domain provided with all available information.\"\n  },\n  \"cols\": 3,\n  \"rows\": 1\n}\n[/block]\n\n[block:html]\n{\n  \"html\": \"<div class=\\\"api-code-block\\\">\\n  <div class=\\\"api-code-block__header\\\">\\n    <span class=\\\"api-code-block__header__label\\\">GET</span> https://investigate.api.umbrella.com/whois/domain\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">REQUEST</div>\\n    <pre>curl -H \\\"Authorization: Bearer %YourToken%\\\" \\\\\\n \\\"https://investigate.api.umbrella.com/whois/{domain}\\\"\\n    </pre>\\n  </div>\\n  <div class=\\\"api-code-block__section\\\">\\n    <div class=\\\"api-code-block__section__header\\\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\\n    </div>\\n    <pre>\\n{\\n  \\\"administrativeContactFax\\\": null,\\n  \\\"whoisServers\\\": null,\\n  \\\"addresses\\\": [\\n    \\\"1600 amphitheatre parkway\\\",\\n    \\\"please contact contact-admin@google.com, 1600 amphitheatre parkway\\\",\\n    \\\"2400 e. bayshore pkwy\\\"\\n  ],\\n  \\\"administrativeContactName\\\": \\\"DNS Admin\\\",\\n  \\\"zoneContactEmail\\\": null,\\n  \\\"billingContactFax\\\": null,\\n  \\\"administrativeContactTelephoneExt\\\": \\\"\\\",\\n  \\\"administrativeContactEmail\\\": \\\"dns-admin@google.com\\\",\\n  \\\"technicalContactEmail\\\": \\\"dns-admin@google.com\\\",\\n  \\\"technicalContactFax\\\": \\\"16506181499\\\",\\n  \\\"nameServers\\\": [\\n    \\\"ns1.google.com\\\",\\n    \\\"ns2.google.com\\\",\\n    \\\"ns3.google.com\\\",\\n    \\\"ns4.google.com\\\"\\n  ],\\n  \\\"zoneContactName\\\": \\\"\\\",\\n  \\\"billingContactPostalCode\\\": \\\"\\\",\\n  \\\"zoneContactFax\\\": \\\"\\\",\\n  \\\"registrantTelephoneExt\\\": \\\"\\\",\\n  \\\"zoneContactFaxExt\\\": \\\"\\\",\\n  \\\"technicalContactTelephoneExt\\\": \\\"\\\",\\n  \\\"billingContactCity\\\": \\\"\\\",\\n  \\\"zoneContactStreet\\\": [],\\n  \\\"created\\\": null,\\n  \\\"administrativeContactCity\\\": \\\"Mountain View\\\",\\n  \\\"registrantName\\\": \\\"Dns Admin\\\",\\n  \\\"zoneContactCity\\\": \\\"\\\",\\n  \\\"domainName\\\": \\\"google.com\\\",\\n  \\\"zoneContactPostalCode\\\": \\\"\\\",\\n  \\\"administrativeContactFaxExt\\\": \\\"\\\",\\n  \\\"technicalContactCountry\\\": \\\"UNITED STATES\\\",\\n  \\\"registrarIANAID\\\": \\\"292\\\",\\n  \\\"updated\\\": \\\"2011-07-20 00:00:00 UTC\\\",\\n  \\\"administrativeContactStreet\\\": [\\n    \\\"1600 amphitheatre parkway\\\"\\n  ],\\n  \\\"billingContactEmail\\\": \\\"\\\",\\n  \\\"status\\\": [\\n    \\\"clientDeleteProhibited\\\",\\n    \\\"clientTransferProhibited\\\",\\n    \\\"clientUpdateProhibited\\\",\\n    \\\"serverDeleteProhibited\\\",\\n    \\\"serverTransferProhibited\\\",\\n    \\\"serverUpdateProhibited\\\"\\n  ],\\n  \\\"registrantCity\\\": \\\"Mountain View\\\",\\n  \\\"billingContactCountry\\\": \\\"\\\",\\n  \\\"expires\\\": \\\"2020-09-14 00:00:00 UTC\\\",\\n  \\\"technicalContactStreet\\\": [\\n    \\\"2400 e. bayshore pkwy\\\"\\n  ],\\n  \\\"registrantOrganization\\\": \\\"Google Inc.\\\",\\n  \\\"billingContactStreet\\\": [],\\n  \\\"registrarName\\\": \\\"MARKMONITOR INC.\\\",\\n  \\\"registrantPostalCode\\\": \\\"94043\\\",\\n  \\\"zoneContactTelephone\\\": \\\"\\\",\\n  \\\"registrantEmail\\\": \\\"dns-admin@google.com\\\",\\n  \\\"technicalContactFaxExt\\\": \\\"\\\",\\n  \\\"technicalContactOrganization\\\": \\\"Google Inc.\\\",\\n  \\\"emails\\\": [\\n    \\\"dns-admin@google.com\\\"\\n  ],\\n  \\\"registrantStreet\\\": [\\n    \\\"please contact contact-admin@google.com, 1600 amphitheatre parkway\\\"\\n  ],\\n  \\\"technicalContactTelephone\\\": \\\"16503300100\\\",\\n  \\\"technicalContactState\\\": \\\"CA\\\",\\n  \\\"technicalContactCity\\\": \\\"Mountain View\\\",\\n  \\\"registrantFax\\\": \\\"16506188571\\\",\\n  \\\"registrantCountry\\\": \\\"UNITED STATES\\\",\\n  \\\"billingContactFaxExt\\\": \\\"\\\",\\n  \\\"timestamp\\\": null,\\n  \\\"zoneContactOrganization\\\": \\\"\\\",\\n  \\\"administrativeContactCountry\\\": \\\"UNITED STATES\\\",\\n  \\\"billingContactName\\\": \\\"\\\",\\n  \\\"registrantState\\\": \\\"CA\\\",\\n  \\\"registrantTelephone\\\": \\\"16502530000\\\",\\n  \\\"administrativeContactState\\\": \\\"CA\\\",\\n  \\\"registrantFaxExt\\\": \\\"\\\",\\n  \\\"technicalContactPostalCode\\\": \\\"94043\\\",\\n  \\\"rawBase64\\\": null,\\n  \\\"zoneContactTelephoneExt\\\": \\\"\\\",\\n  \\\"administrativeContactOrganization\\\": \\\"Google Inc.\\\",\\n  \\\"billingContactTelephone\\\": \\\"\\\",\\n  \\\"billingContactTelephoneExt\\\": \\\"\\\",\\n  \\\"zoneContactState\\\": \\\"\\\",\\n  \\\"administrativeContactTelephone\\\": \\\"16506234000\\\",\\n  \\\"billingContactOrganization\\\": \\\"\\\",\\n  \\\"technicalContactName\\\": \\\"DNS Admin\\\",\\n  \\\"administrativeContactPostalCode\\\": \\\"94043\\\",\\n  \\\"zoneContactCountry\\\": \\\"\\\",\\n  \\\"billingContactState\\\": \\\"\\\"\\n}\\n    </pre>\\n  </div>\\n</div>\"\n}\n[/block]\n[AS Information for a Domain](https://docs.umbrella.com/developer/investigate-api/as-information-for-a-domain-1/) < **WHOIS Information for a Domain** > [Latest Malicious Domains for an IP](https://docs.umbrella.com/developer/investigate-api/latest-malicious-domains-for-an-ip-1/)","excerpt":"","slug":"whois-information-for-a-domain-1","type":"basic","title":"WHOIS Information for a Domain"}

WHOIS Information for a Domain


This API method returns the WHOIS information for the specified email address(es), nameserver(s) and domains. You can also search by multiple email addresses or multiple nameservers. This documentation outlines the following API endpoints: Email (single and multiple) Domain Record (current and historical) and Nameserver (single and multiple). In some instances, WHOIS information can be irregular as there are no standards between domain registrars and large volumes of information can be returned from a query. As such, both the email and nameserver WHOIS endpoints have a limit of 500 results, which you can limit to a smaller set of results. There is also an 'offset' parameter that can be leveraged to retrieve the entire set of domain entries for a given email without any limitation. Only the email parameter supports this. The email parameter can also be sorted by sort the entries based on the time stamp field. If a domain, email or nameserver has no known WHOIS information, HTTP 404 is returned. If a domain, email or nameserver does not exist, HTTP 404 will also be returned. ## WHOIS – Single Email Address ## The WHOIS email endpoint (/whois/emails/) will return the email address or addresses of the registrar for the domain or domains that are looked up. The results include the total number of results for domains registered by this email address and a list of the first 500 (by default) domains associated with this email. You may wish to pivot on this API email to find other malicious domains registered by the same email. This endpoint is limited to a maximum of 500 results, which are the first 500 gathered from the database, but the limit can be reduced using the url-param limit, described in this section. Please note thate several of the sample returns from these query have been truncated due to length. Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/emails/dns-admin@google.com\"", "language": "text" } ] } [/block] ### Parameter for input ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-2": "Email address following rfc5322 conventions.", "0-1": "string", "0-0": "email" }, "cols": 3, "rows": 1 } [/block] ### Returned value for output if Success 200 ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-0": "totalResults", "0-1": "integer", "1-0": "moreDataAvailable", "2-0": "limit", "3-0": "domains", "1-1": "boolean", "2-1": "integer", "3-1": "array of strings", "0-2": "Total number of results for this email.", "1-2": "Whether or not there are more than 500 results for this email, either yes or no.", "2-2": "Total number of results for this page of results, default 500.", "3-2": "Domains registered by this email and whether the domain is current, meaning currently registered by this email address." }, "cols": 3, "rows": 4 } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/email\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/emails/{email}\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"dns-admin@google.com\": {\n \"totalResults\": 500,\n \"moreDataAvailable\": true,\n \"limit\": 500,\n \"domains\": [\n {\n \"domain\": \"0emm.com\",\n \"current\": true\n },\n {\n \"domain\": \"10tothe100.net\",\n \"current\": true\n },\n {\n \"domain\": \"youtubube.com\",\n \"current\": true\n },\n {\n \"domain\": \"zagat.net\",\n \"current\": true\n },\n {\n \"domain\": \"zagatnyc.com\",\n \"current\": true\n },\n {\n \"domain\": \"zavers.com\",\n \"current\": true\n }\n ]\n }\n}\n </pre>\n </div>\n</div>" } [/block] ## WHOIS – Multiple Email Addresses ## To search by multiple emails, you must set the url-param emailList to a comma-delimited-list. The parameters for input and the returned values are the same as for a single email, but with multiple arrays of domains returned. Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/emails?emailList=dns-admin@google.com,hostmaster@charter.com\"", "language": "text" } ] } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/email, email\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/emails?emailList={email},{email}\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"admin@google.com\": {\n \"totalResults\": 500,\n \"moreDataAvailable\": true,\n \"limit\": 500,\n \"domains\": [\n {\n \"domain\": \"0emm.com\",\n \"current\": true\n },\n {\n \"domain\": \"10tothe100.net\",\n \"current\": true\n },\n {\n \"domain\": \"2clk.org\",\n \"current\": true\n },\n {\n \"domain\": \"zagat.net\",\n \"current\": true\n },\n {\n \"domain\": \"zagatnyc.com\",\n \"current\": true\n },\n {\n \"domain\": \"zavers.com\",\n \"current\": true\n }\n ]\n },\n \"hostmaster@charter.com\": {\n \"totalResults\": 447,\n \"moreDataAvailable\": true,\n \"limit\": 500,\n \"domains\": [\n {\n \"domain\": \"60for55.com\",\n \"current\": true\n },\n {\n \"domain\": \"alltogethernow.net\",\n \"current\": true\n },\n {\n \"domain\": \"autosoncharter.com\",\n \"current\": true\n },\n {\n \"domain\": \"yowzadeals.com\",\n \"current\": true\n }\n ]\n }\n}\n </pre>\n </div>\n</div>" } [/block] ## WHOIS – Email Address Limits ## To limit or expand the number of results for the emails endpoint, set the url-param limit. Default value is 500. The example is to limit multiple email addresses; for a single email just add `?limit=` to the end of the query. Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/emails?emailList=dns-admin@google.com,hostmaster@charter.com&limit=2\"", "language": "text" } ] } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/email, email\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/emails?emailList={email},{email}&limit=2\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"dns-admin@google.com\": {\n \"totalResults\": 2,\n \"moreDataAvailable\": true,\n \"limit\": 2,\n \"domains\": [\n {\n \"domain\": \"googletisp.com\",\n \"current\": true\n },\n {\n \"domain\": \"pushlife.org\",\n \"current\": true\n }\n ]\n },\n \"hostmaster@charter.com\": {\n \"totalResults\": 2,\n \"moreDataAvailable\": true,\n \"limit\": 2,\n \"domains\": [\n {\n \"domain\": \"charter-internet.com\",\n \"current\": true\n },\n {\n \"domain\": \"charterliveit.org\",\n \"current\": true\n }\n ]\n }\n}\n </pre>\n </div>\n</div>" } [/block] ## WHOIS – Email offset for pagination beyond 500 results ## For paging with offset for domains with more than 500 results, set the url-param limit. Default value is 10. This endpoint behaves slightly differently when using offset parameter is specified because of duplicate domains present in the WHOIS data. The API will return only unique domains per page. If you want domains 500-1000, you'll likely get back less than 500 results (as below) because of duplicates within that page. You can expect to see duplicates from page to page. For example, a domain may appear in the set from 0-500 and then again from in the set from 1000-1500. The 'moreDataAvailable' field will set to false once the offset+limit exceeds the total number of results available. For the example email used below, there are ~4800 domains associated, so moreDataAvailable will become false when offset=4500. To grab all 4800 emails, simply make a request to the emails endpoint and increment the offset by 500 each time until moreDataAvailable becomes false. You can also specify an offset with multiple emails, and you can specify a limit in addition to the offset if needed. Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/emails/yingw90@yahoo.com?offset=500", "language": "text" } ] } [/block] Result: [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/email\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/emails/{email}?offset=500\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"yingw90@yahoo.com\": {\n \"totalResults\": 4800,\n \"offset\": 500,\n \"moreDataAvailable\": true,\n \"limit\": 500,\n \"sortField\": \"domain name [default]\",\n \"domains\": [{\n \"domain\": \"394iopwekmcopw.com\",\n \"current\": true\n }, {\n \"domain\": \"a4egjph0jy.us\",\n \"current\": false\n },\n .\n .\n .\n {\n \"domain\": \"zvfietzdpzhutj.com\",\n \"current\": true\n }, {\n \"domain\": \"zyoz6g1hrf.com\",\n \"current\": true\n }]\n\n },\n}\n </pre>\n </div>\n</div>" } [/block] ## WHOIS – Sorting domains associated with email based on timestamp ## To sort the list of domains based on timestamp, set the optional url-param 'sortField'. By default, domains are simply sorted by name in alphabetical order. Possible values for "sortField" are: "created", "updated", and "expired", each of which sorts from the most recent date for the value of the WHOIS entry. Any other value provided to this parameter will return results sorted by domainName by default. *NOTE:* A Sort combined with an offset returns a significantly less number of results per page due to the changed order in which domains are being returned, but the overall set of domains still contains all the domains associated with the given email. Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/emails/yingw90@gmail.com?sort=created", "language": "text" } ] } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/email\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/emails/{email}?sort=created\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"yingw90@yahoo.com\": {\n \"totalResults\": 500,\n \"offset\": 0,\n \"moreDataAvailable\": true,\n \"limit\": 500,\n \"sortField\":\"created\",\n \"domains\": [{\n \"domain\": \"checkthisout.pro\",\n \"current\": true\n }, {\n \"domain\": \"zzsqluwqmgjbjfjow.com'\",\n \"current\": false\n },\n .\n .\n .\n {\n \"domain\": \"xenzaveersonu.com\",\n \"current\": true\n }, {\n \"domain\": \"wxnmvprmhk72.com\",\n \"current\": true\n }]\n\n },\n}\n </pre>\n </div>\n</div>" } [/block] ## WHOIS – Searching by Nameserver ## The Nameserver endpoint (/whois/nameservers/) allows you to search a nameserver to find all domains registered by that nameserver. You can search against a single nameserver or multiple nameservers in a query. As a nameserver can potentially register hundreds or thousands of domains, the results are limited to 500 maximum results. Sample query for a single nameserver: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/nameservers/ns2.google.com\"", "language": "text" } ] } [/block] ### Parameter for input ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-2": "Nameserver’s domain name.", "0-1": "string", "0-0": "nameserver" }, "cols": 3, "rows": 1 } [/block] ### Returned value for output if Success 200 ### [block:parameters] { "data": { "0-0": "totalResults", "1-0": "moreDataAvailable", "2-0": "limit", "3-0": "domains", "0-1": "integer", "1-1": "boolean", "2-1": "integer", "3-1": "array of strings", "0-2": "Total number of domains registered for this nameserver.", "1-2": "Whether or not there are more than 500 results for this nameserver.", "2-2": "Total number of results for this page of results, default 500.", "3-2": "Domains registered by this nameserver." }, "cols": 3, "rows": 4 } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/nameservers\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/nameservers/nameserver\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"ns2.google.com\": {\n \"totalResults\": 500,\n \"moreDataAvailable\": true,\n \"limit\": 500,\n \"domains\": [\n {\n \"domain\": \"46645.biz\",\n \"current\": true\n },\n {\n \"domain\": \"800google411.net\",\n \"current\": true\n },\n {\n \"domain\": \"zagatnyc.com\",\n \"current\": true\n },\n {\n \"domain\": \"zavers.com\",\n \"current\": true\n }\n ]\n }\n}\n </pre>\n </div>\n</div>" } [/block] ## WHOIS – Searching by Multiple Nameservers ## To search by multiple nameservers, you must set the url-param nameServerList to a comma-delimited list, for instance: `/whois/nameservers?nameServerList=ns1.google.com,ns2.google.com` The parameters for input and the returned values are the same as for a single nameserver, but with multiple arrays of domains returned. Sample query for a multiple nameservers: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/nameservers?nameServerList=ns1.google.com,ns2.google.com\"", "language": "text" } ] } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/nameserver,nameserver\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/nameservers?nameServerList=nameserver,nameserver\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"ns1.google.com\": {\n \"totalResults\": 500,\n \"moreDataAvailable\": true,\n \"limit\": 500,\n \"domains\": [\n {\n \"domain\": \"46645.biz\",\n \"current\": true\n },\n {\n \"domain\": \"800google411.net\",\n \"current\": true\n },\n {\n \"domain\": \"zagatnyc.com\",\n \"current\": true\n },\n {\n \"domain\": \"zavers.com\",\n \"current\": true\n }\n ]\n },\n \"ns2.google.com\": {\n \"totalResults\": 500,\n \"moreDataAvailable\": true,\n \"limit\": 500,\n \"domains\": [\n {\n \"domain\": \"46645.biz\",\n \"current\": true\n },\n {\n \"domain\": \"800google411.net\",\n \"current\": true\n },\n {\n \"domain\": \"about-google.com\",\n \"current\": true\n },\n {\n \"domain\": \"zagatnyc.com\",\n \"current\": true\n },\n {\n \"domain\": \"zavers.com\",\n \"current\": true\n }\n ]\n }\n}\n </pre>\n </div>\n</div>" } [/block] ## WHOIS - Search by Nameserver: Limits ## To limit or expand the number of domains returned for each nameserver searched, set the url-param limit. The default value is 500. The example is to limit multiple nameservers; for a single nameserver just add `?limit=` to the end of the query. Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/nameservers?nameServerList=ns1.google.com,ns2.google.com&limit=2\"", "language": "text" } ] } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/nameservers/?nameServerList=nameserver,nameserver\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/nameservers/?nameServerList={nameserver},{nameserver}&limit=2\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"ns1.google.com\": {\n \"totalResults\": 2,\n \"moreDataAvailable\": true,\n \"limit\": 2,\n \"domains\": [\n {\n \"domain\": \"googletisp.com\",\n \"current\": true\n },\n {\n \"domain\": \"pushlife.org\",\n \"current\": true\n }\n ]\n },\n \"ns2.google.com\": {\n \"totalResults\": 2,\n \"moreDataAvailable\": true,\n \"limit\": 2,\n \"domains\": [\n {\n \"domain\": \"googletisp.com\",\n \"current\": true\n },\n {\n \"domain\": \"pushlife.org\",\n \"current\": true\n }\n ]\n }\n}\n </pre>\n </div>\n</div>" } [/block] ## WHOIS – Single Domain Record and Domain History ## The domain endpoint (/whois/domain.com) will provide a standard WHOIS response record for a single domain with all available WHOIS data returned in an array. The exact information display will vary depending on registrant. To return any available historical records for the domain, add /history/ to the end query after the domain. The limit for history defaults to 10 but can be limited with the url-param limit. For example: `/history?limit=2` You can also return the raw output of the DNS record (this is the same information as the "Raw Data" in the UI) by appending /raw/ to the query string. For example: `/whois/google.com/raw` Sample query: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/google.com\"", "language": "text" } ] } [/block] Sample query for domain history: [block:code] { "codes": [ { "code": "curl -H \"Authorization: Bearer %YourToken%\" \"https://investigate.api.umbrella.com/whois/5esb.biz/history?limit=2\"", "language": "text" } ] } [/block] ### Parameter for input ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-0": "domain", "0-1": "string", "0-2": "Domain name without wildcards and including TLD." }, "cols": 3, "rows": 1 } [/block] ### Returned value for output if Success 200 ### [block:parameters] { "data": { "h-0": "Field", "h-1": "Type", "h-2": "Description", "0-0": "domain", "0-1": "array of strings", "0-2": "Array of WHOIS results for the domain provided with all available information." }, "cols": 3, "rows": 1 } [/block] [block:html] { "html": "<div class=\"api-code-block\">\n <div class=\"api-code-block__header\">\n <span class=\"api-code-block__header__label\">GET</span> https://investigate.api.umbrella.com/whois/domain\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">REQUEST</div>\n <pre>curl -H \"Authorization: Bearer %YourToken%\" \\\n \"https://investigate.api.umbrella.com/whois/{domain}\"\n </pre>\n </div>\n <div class=\"api-code-block__section\">\n <div class=\"api-code-block__section__header\">RESPONSE <em>(HTTP 200, Content-Type: application/json)</em>\n </div>\n <pre>\n{\n \"administrativeContactFax\": null,\n \"whoisServers\": null,\n \"addresses\": [\n \"1600 amphitheatre parkway\",\n \"please contact contact-admin@google.com, 1600 amphitheatre parkway\",\n \"2400 e. bayshore pkwy\"\n ],\n \"administrativeContactName\": \"DNS Admin\",\n \"zoneContactEmail\": null,\n \"billingContactFax\": null,\n \"administrativeContactTelephoneExt\": \"\",\n \"administrativeContactEmail\": \"dns-admin@google.com\",\n \"technicalContactEmail\": \"dns-admin@google.com\",\n \"technicalContactFax\": \"16506181499\",\n \"nameServers\": [\n \"ns1.google.com\",\n \"ns2.google.com\",\n \"ns3.google.com\",\n \"ns4.google.com\"\n ],\n \"zoneContactName\": \"\",\n \"billingContactPostalCode\": \"\",\n \"zoneContactFax\": \"\",\n \"registrantTelephoneExt\": \"\",\n \"zoneContactFaxExt\": \"\",\n \"technicalContactTelephoneExt\": \"\",\n \"billingContactCity\": \"\",\n \"zoneContactStreet\": [],\n \"created\": null,\n \"administrativeContactCity\": \"Mountain View\",\n \"registrantName\": \"Dns Admin\",\n \"zoneContactCity\": \"\",\n \"domainName\": \"google.com\",\n \"zoneContactPostalCode\": \"\",\n \"administrativeContactFaxExt\": \"\",\n \"technicalContactCountry\": \"UNITED STATES\",\n \"registrarIANAID\": \"292\",\n \"updated\": \"2011-07-20 00:00:00 UTC\",\n \"administrativeContactStreet\": [\n \"1600 amphitheatre parkway\"\n ],\n \"billingContactEmail\": \"\",\n \"status\": [\n \"clientDeleteProhibited\",\n \"clientTransferProhibited\",\n \"clientUpdateProhibited\",\n \"serverDeleteProhibited\",\n \"serverTransferProhibited\",\n \"serverUpdateProhibited\"\n ],\n \"registrantCity\": \"Mountain View\",\n \"billingContactCountry\": \"\",\n \"expires\": \"2020-09-14 00:00:00 UTC\",\n \"technicalContactStreet\": [\n \"2400 e. bayshore pkwy\"\n ],\n \"registrantOrganization\": \"Google Inc.\",\n \"billingContactStreet\": [],\n \"registrarName\": \"MARKMONITOR INC.\",\n \"registrantPostalCode\": \"94043\",\n \"zoneContactTelephone\": \"\",\n \"registrantEmail\": \"dns-admin@google.com\",\n \"technicalContactFaxExt\": \"\",\n \"technicalContactOrganization\": \"Google Inc.\",\n \"emails\": [\n \"dns-admin@google.com\"\n ],\n \"registrantStreet\": [\n \"please contact contact-admin@google.com, 1600 amphitheatre parkway\"\n ],\n \"technicalContactTelephone\": \"16503300100\",\n \"technicalContactState\": \"CA\",\n \"technicalContactCity\": \"Mountain View\",\n \"registrantFax\": \"16506188571\",\n \"registrantCountry\": \"UNITED STATES\",\n \"billingContactFaxExt\": \"\",\n \"timestamp\": null,\n \"zoneContactOrganization\": \"\",\n \"administrativeContactCountry\": \"UNITED STATES\",\n \"billingContactName\": \"\",\n \"registrantState\": \"CA\",\n \"registrantTelephone\": \"16502530000\",\n \"administrativeContactState\": \"CA\",\n \"registrantFaxExt\": \"\",\n \"technicalContactPostalCode\": \"94043\",\n \"rawBase64\": null,\n \"zoneContactTelephoneExt\": \"\",\n \"administrativeContactOrganization\": \"Google Inc.\",\n \"billingContactTelephone\": \"\",\n \"billingContactTelephoneExt\": \"\",\n \"zoneContactState\": \"\",\n \"administrativeContactTelephone\": \"16506234000\",\n \"billingContactOrganization\": \"\",\n \"technicalContactName\": \"DNS Admin\",\n \"administrativeContactPostalCode\": \"94043\",\n \"zoneContactCountry\": \"\",\n \"billingContactState\": \"\"\n}\n </pre>\n </div>\n</div>" } [/block] [AS Information for a Domain](https://docs.umbrella.com/developer/investigate-api/as-information-for-a-domain-1/) < **WHOIS Information for a Domain** > [Latest Malicious Domains for an IP](https://docs.umbrella.com/developer/investigate-api/latest-malicious-domains-for-an-ip-1/)