Knogin
[Developers]

Domain Domain

A threat analyst is investigating a phishing campaign. The suspicious domain in the email is six days old, registered through a privacy-protecting registrar, and resolves to an IP in a residential ISP range. Those detail

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsgeospatial

Overview#

A threat analyst is investigating a phishing campaign. The suspicious domain in the email is six days old, registered through a privacy-protecting registrar, and resolves to an IP in a residential ISP range. Those details matter, a freshly registered domain with hidden WHOIS data and an unusual hosting provider is a completely different risk profile from a decade-old domain with consistent business registration history. The Domain domain stores, tracks, and analyses all of those signals as part of a structured domain profile.

Key Features#

  • Domain registration and WHOIS data management.
  • DNS record tracking and historical analysis.
  • Domain threat intelligence scoring.
  • Domain-to-entity relationship mapping.
  • Email domain association tracking.
  • Domain timeline and change history.
  • Organisation-scoped domain profile management.
  • Integration with OSINT providers for domain enrichment.

Use Cases#

Threat analysts build domain profiles for phishing and malware investigations, combining WHOIS data, DNS history, and threat intelligence scores to assess whether a domain is genuinely malicious or a false positive.

Law enforcement investigators track domain registration changes and ownership transfers associated with criminal activity, building a timeline of infrastructure changes that correlates with known criminal event dates.

Financial crime units correlate suspicious domains with known threat actors and campaigns, linking infrastructure to entities already identified in financial crime investigations.

Intelligence analysts enrich entity profiles with domain intelligence data, connecting individuals and organisations to the internet infrastructure associated with their activities.

Integration#

Integrates with email profiling, threat intelligence, and digital footprint domains for comprehensive domain analysis.

Open Standards#

  • WHOIS (RFC 3912): Domain registration data, including registrar identity, creation and expiry dates, name servers, and historical ownership records, is stored and exposed directly from WHOIS query responses.
  • DNS Resource Records (RFC 1034 / RFC 1035): The domain profile captures and tracks A, AAAA, MX, NS, TXT, CNAME, and SOA record types, reflecting the full set of DNS record classes defined in the core DNS specifications.
  • X.509 Public Key Infrastructure (RFC 5280): TLS certificate details associated with a domain, including issuer, subject, validity window, and signature and public key algorithms, are modelled in accordance with the X.509 certificate structure.
  • STIX 2.1 (OASIS CTI TC): Domains are represented as STIX domain-name Cyber Observable Objects and may be exported as STIX 2.1 Indicator SDOs with pattern expressions such as [domain-name:value = '...'] for sharing with compatible threat intelligence platforms.
  • Traffic Light Protocol (TLP, FIRST): Domain profiles carry a secrecy level that maps directly to TLP:WHITE, TLP:GREEN, TLP:AMBER, and TLP:RED markings, controlling dissemination in line with the FIRST TLP standard.
  • DNS over HTTPS (DoH, RFC 8484): Domain and IP enrichment queries are issued over DNS over HTTPS, enabling privacy-preserving DNS resolution during threat intelligence enrichment of domain profiles.
  • GraphQL (June 2018 Specification): All domain profile queries and mutations are served through a typed GraphQL API, with camelCase field naming and strongly typed input and output schemas conforming to the GraphQL specification.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.