Knogin
[Developers]

URL Domain

A cybercrime analyst receives a tip about a suspected phishing site impersonating a government tax portal. She registers the URL, and the domain immediately pulls WHOIS registration data showing a two-day-old domain, DNS

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsgeospatial

Overview#

A cybercrime analyst receives a tip about a suspected phishing site impersonating a government tax portal. She registers the URL, and the domain immediately pulls WHOIS registration data showing a two-day-old domain, DNS records pointing to a bulletproof hosting provider, and an SSL certificate issued minutes after domain registration. That combination of infrastructure signals, assembled in seconds rather than hours, is what the URL domain provides.

The domain manages URL profiles for tracking and analysing web resources as part of investigations. Profiles capture URL structure, associated domain information, WHOIS registration data, DNS records, and SSL certificate details to build comprehensive intelligence about web resources of interest. All profile data is stored in PostgreSQL with full investigation linking and multi-tenant organisation isolation.

Key Features#

  • URL Profile Management: Create and maintain detailed profiles for URLs under investigation, capturing the full URL structure including scheme, domain, and path components.

  • WHOIS Integration: Retrieve and store domain registration information including registrar, registrant, registration dates, name servers, and domain status for investigative context.

  • DNS Analysis: Record DNS information including A, AAAA, MX, NS, TXT, and CNAME records to understand the hosting infrastructure and mail configuration behind tracked URLs.

  • SSL Certificate Tracking: Capture SSL certificate details including issuer, subject, validity dates, and fingerprints to verify site authenticity and track certificate changes.

  • Status Monitoring: Track whether URLs are active or inactive with HTTP response code recording to monitor the operational status of web resources under investigation.

  • Investigation Linking: Associate URL profiles with active investigations for organised case management and cross-reference analysis.

  • Threat Assessment: Assign threat levels and assessments to URL profiles to communicate the risk associated with specific web resources.

Mermaid Diagram#

Use Cases#

  • Cybercrime Investigations: Profile suspected phishing URLs with full infrastructure analysis including WHOIS, DNS, and SSL data to identify threat actors and hosting providers.

  • Law Enforcement: Map the web infrastructure of investigation targets by profiling their URLs, domains, and hosting relationships to uncover shared infrastructure across criminal operations.

  • Defence Intelligence: Maintain profiles for malicious URLs identified during threat intelligence operations, including hosting infrastructure and registration details, for attribution and blocking.

  • Financial Crime: Document web-based evidence with comprehensive URL profiles that capture infrastructure state at the time of investigation for use in prosecution or regulatory proceedings.

Integration#

The URL domain connects with cyber investigation capabilities across the platform:

  • Domain Profiles: URL profiles link to parent domain records.
  • Profile Management: URL profiles extend the base profile system.
  • Threat Intelligence: URL indicators enrich threat analysis.
  • Investigation Management: URL profiles associate with active investigations.

Open Standards#

  • RFC 3986 (URI Generic Syntax): URL profiles decompose each resource into its constituent scheme, authority, path, and query components in strict conformance with the IETF URI syntax specification.
  • RFC 1035 / DNS Resource Record Types: DNS analysis captures A, AAAA, MX, NS, TXT, and CNAME records as defined by the Domain Name System specifications, enabling full mapping of hosting and mail infrastructure.
  • X.509 / RFC 5280 (PKIX Certificate Profile): SSL certificate tracking stores issuer, subject, validity window, signature algorithm, and public key algorithm fields drawn directly from the ITU-T X.509 and IETF PKIX certificate structure.
  • RFC 3912 (WHOIS Protocol): Domain registration intelligence is structured around WHOIS data fields, registrar, registrant, creation, update, and expiry dates, as defined by the WHOIS query protocol specification.
  • RFC 9110 (HTTP Semantics): URL status monitoring records HTTP response codes as defined by the HTTP semantics standard to indicate whether a resource is active or unreachable at the time of inspection.
  • GraphQL (June 2018 Specification): The URL domain exposes its query and mutation operations through a typed GraphQL schema, enabling structured, field-precise retrieval and creation of URL profiles via a single API endpoint.
  • OAuth 2.0 / OpenID Connect: All URL profile operations are gated behind authenticated sessions managed through OAuth 2.0 authorisation and OpenID Connect identity assertions, enforcing per-tenant access control on every request.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.