DNS and WHOIS Lookup API for Security Tools
Every domain on the internet has a story written in its DNS records and WHOIS data. Here's how to read it programmatically and build tools that use it.
What DNS Records Tell You
DNS (Domain Name System) is the phone book of the internet. When you query a domain's DNS records, you're looking up how that domain is configured — where its website lives, where its email goes, and what services it uses.
| Record Type | What It Contains | Why It Matters |
|---|---|---|
| A | IPv4 address | Where the website is hosted |
| AAAA | IPv6 address | Modern hosting setup indicator |
| MX | Mail server addresses | Email provider (Google Workspace, Microsoft 365, etc.) |
| TXT | Arbitrary text | SPF, DKIM, DMARC records for email auth; domain verification |
| NS | Nameserver addresses | DNS provider (Cloudflare, Route53, etc.) |
| CNAME | Alias to another domain | CDN setup, subdomain routing |
For security audits, the most interesting records are TXT (do they have SPF/DKIM/DMARC configured properly?) and MX (are they using a secure email provider?). Missing email authentication records are one of the most common security gaps on the internet.
How WHOIS Works
WHOIS is the registration database for domain names. When someone registers a domain, their contact information (or their privacy proxy's information) gets stored in the WHOIS database. Querying it tells you:
- Registrant — Who owns the domain (name, organization, email)
- Registrar — Where the domain was registered (GoDaddy, Namecheap, Cloudflare, etc.)
- Dates — When the domain was created, last updated, and when it expires
- Nameservers — Where DNS is managed
- Status codes — Lock status, transfer restrictions, pending actions
Privacy protection services (like WhoisGuard) mask the registrant's personal information, but you still get the registrar, dates, and nameservers — which are often the most useful data points for security and sales intelligence.
Use Cases
Security Audits
Check SPF/DKIM/DMARC, identify misconfigured DNS, detect expired SSL certs, find exposed subdomains
Domain Monitoring
Track domain expiration, detect DNS changes, alert on nameserver transfers, monitor for hijacking
Sales Intelligence
Identify a company's tech stack from DNS, find decision-maker emails, gauge company age from registration date
Brand Protection
Detect typosquatting domains, monitor new registrations similar to your brand, track competitor domains
Code Examples
cURL — DNS Lookup
curl -X POST https://rebirthapi.com/api/v1/url-metadata \
-H "Authorization: Bearer rb_live_your_key" \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com"}'
# Response includes DNS records, WHOIS data, SSL info, and more:
# {
# "domain": "example.com",
# "dns": {
# "a": ["93.184.216.34"],
# "mx": ["mail.example.com"],
# "txt": ["v=spf1 include:_spf.google.com ~all"],
# "ns": ["ns1.example.com", "ns2.example.com"]
# },
# "whois": {
# "registrar": "ICANN",
# "created": "1995-08-14",
# "expires": "2026-08-13",
# "nameservers": ["ns1.example.com"]
# },
# "ssl": { "valid": true, "issuer": "DigiCert", "expires": "2026-12-01" }
# }Python — Security Audit Script
import requests
from datetime import datetime
API_KEY = "rb_live_your_key"
HEADERS = {"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"}
def security_audit(domain: str) -> dict:
"""Run a DNS/WHOIS security audit on a domain."""
res = requests.post(
"https://rebirthapi.com/api/v1/url-metadata",
headers=HEADERS,
json={"url": f"https://{domain}"}
)
data = res.json()
issues = []
# Check email authentication
txt_records = " ".join(data.get("dns", {}).get("txt", []))
if "v=spf1" not in txt_records:
issues.append("CRITICAL: No SPF record — vulnerable to email spoofing")
if "v=DMARC1" not in txt_records.upper():
issues.append("WARNING: No DMARC record — no email spoofing policy")
# Check SSL
ssl = data.get("ssl", {})
if not ssl.get("valid"):
issues.append("CRITICAL: SSL certificate is invalid or missing")
elif ssl.get("expires"):
expires = datetime.strptime(ssl["expires"], "%Y-%m-%d")
days_left = (expires - datetime.now()).days
if days_left < 30:
issues.append(f"WARNING: SSL expires in {days_left} days")
# Check domain expiration
whois = data.get("whois", {})
if whois.get("expires"):
expires = datetime.strptime(whois["expires"], "%Y-%m-%d")
days_left = (expires - datetime.now()).days
if days_left < 60:
issues.append(f"WARNING: Domain expires in {days_left} days")
return {
"domain": domain,
"issues": issues,
"grade": "A" if not issues else "C" if len(issues) <= 2 else "F",
"dns": data.get("dns"),
"whois": whois,
"ssl": ssl
}
# Audit a domain
report = security_audit("example.com")
print(f"Grade: {report['grade']}")
for issue in report["issues"]:
print(f" - {issue}")Node.js — Domain Monitoring
async function checkDomain(domain) {
const res = await fetch('https://rebirthapi.com/api/v1/url-metadata', {
method: 'POST',
headers: {
'Authorization': 'Bearer rb_live_your_key',
'Content-Type': 'application/json'
},
body: JSON.stringify({ url: `https://${domain}` })
});
return res.json();
}
// Monitor a list of domains for expiring certs and domains
async function monitorDomains(domains) {
const alerts = [];
for (const domain of domains) {
const data = await checkDomain(domain);
const whoisExpires = data.whois?.expires;
const sslExpires = data.ssl?.expires;
if (whoisExpires) {
const daysLeft = Math.floor(
(new Date(whoisExpires) - Date.now()) / 86400000
);
if (daysLeft < 60) {
alerts.push(`${domain}: domain expires in ${daysLeft} days`);
}
}
if (sslExpires) {
const daysLeft = Math.floor(
(new Date(sslExpires) - Date.now()) / 86400000
);
if (daysLeft < 30) {
alerts.push(`${domain}: SSL expires in ${daysLeft} days`);
}
}
}
return alerts;
}
// Run daily via cron
const alerts = await monitorDomains([
'mycompany.com', 'client-a.com', 'client-b.com'
]);
if (alerts.length) {
console.log('ALERTS:', alerts);
// Send to Slack, email, PagerDuty, etc.
}Sales Intelligence from DNS
DNS records reveal a company's tech stack without any scraping. MX records tell you their email provider. TXT records expose which SaaS tools they verify domains with (Google, Salesforce, HubSpot, Atlassian). NS records show their DNS provider. CNAME records reveal their CDN and hosting setup.
Combine this with WHOIS data (company age from registration date, registrar choice) and you have a surprisingly detailed company profile — all from public DNS data and one API call.
FAQ
Is WHOIS data always available?
Registrar, dates, and nameservers are almost always available. Registrant contact information is often hidden behind privacy protection services, especially after GDPR. You'll still get the structural data that matters for security and intelligence use cases.
How often do DNS records change?
For most domains, rarely — maybe a few times a year. But when they do change (nameserver migration, email provider switch, hosting change), it's often significant. That's why monitoring is valuable.
Can I detect phishing domains with DNS?
Yes. Newly registered domains (WHOIS creation date within the last 30 days) that mimic legitimate brand names are strong phishing indicators. Combine with MX record analysis to see if they're set up to receive email.
What's the difference between DNS lookup and WHOIS?
DNS tells you how a domain is configured (where it points). WHOIS tells you who owns it and when it was registered. Both are public data, queried through different protocols. Rebirth API returns both in one call.
Try DNS and WHOIS Lookup Free
100 free calls/month. DNS records, WHOIS data, and SSL info in one call. No credit card required.