The whole namespace, on your own hardware
406M active domains with full RDAP, WHOIS and DNS, rebuilt daily. Hunt lookalikes, pivot on infrastructure, and enrich alerts locally. No per-lookup meter in the middle of an investigation, and no vendor watching your queries.
Hunt on the file, not on someone's API
Four recipes on the real schema. Every key below ships in the export. Run any of them against the free 10,000-row sample first.
DomainDomain creation dateDomain expiration dateDomain last changedRegistrarRDAP/WHOIS methodResponse Status RDAP/WHOISDNS records.NSDNS records.ADNS records.MXDNS records.TXT
Freshly registered domains
Every domain first seen this month, the raw material for typosquat and brand-abuse triage. Filter on the WHOIS creation date.
zstdcat webatla-rdap-whois-2026-07-10.jsonl.zst |
jq -c 'select(."Domain creation date" != null
and (."Domain creation date"[0:7]) >= "2026-07")
| {domain: .Domain, created: ."Domain creation date", registrar: .Registrar}' \
> new-this-month.jsonl
Pivot on a nameserver set
Find every domain served by an infrastructure you already flagged. Swap the pattern for the NS you are tracking.
zstdcat webatla-dns-2026-07-10.jsonl.zst |
jq -c 'select((."DNS records".NS // []) | any(test("registrar-servers\\.com")))
| {domain: .Domain, ns: ."DNS records".NS}' \
> on-that-ns.jsonl
IP to domains, the whole file
Build a reverse map from A records. Group by IP to see how many domains sit on one host, the shared-infrastructure signal.
zstdcat webatla-dns-2026-07-10.jsonl.zst |
jq -r 'select(."DNS records".A)
| ."DNS records".A[] as $ip
| "\($ip)\t\(.Domain)"' |
sort | uniq -c -w15 | sort -rn > ip-density.txt
Spoofable domains, at scale
Domains that publish SPF but have no MX are common phishing and spoofing candidates. Constant-memory pass over the full file.
import io, json, zstandard as zstd with open("webatla-dns-2026-07-10.jsonl.zst", "rb") as f: for line in io.TextIOWrapper(zstd.ZstdDecompressor().stream_reader(f)): d = (json.loads(line).get("DNS records") or {}) txt = " ".join(d.get("TXT") or []) if not d.get("MX") and "v=spf1" in txt: print(json.loads(line)["Domain"])
The DNS record field holds A, AAAA, NS, MX, TXT, SOA, CAA and more, arrays for most types and a host-plus-priority object for MX. The recipes handle those shapes as they really ship.
Why a file beats a lookup API for this work
Investigations are wide and fast. Metered lookups fight both.
No meter mid-hunt
Pivot across a whole campaign without watching a per-query counter or a monthly cap decide when you stop.
Your queries stay yours
The file sits on your hardware. What you look up, and when, is never a request to a third party that could log it.
Enrichment at line rate
Join a full domain feed against your alerts and IOCs locally. No round trip per indicator.
Reproducible snapshots
A dated export is a fixed point you can re-run a hunt against. A live API answers differently tomorrow.
Air-gap friendly
One file moves into an isolated environment. No outbound calls required to use it there.
Full DNS, not just an answer
NS, MX, TXT, CAA and the rest per domain, so infrastructure pivots do not need a second data source.
Where to start
Two datasets carry most security work. Take both in all-data when you want them joined.
rdap-whois, €299
376M registration records. Registrars, creation, expiry and last-changed dates for attribution and newly-registered-domain triage.
rdap-whois → registration + attributiondns, €199
344M domains with full DNS records across 21 record types. The infrastructure side of every pivot.
dns → infrastructure pivotsNeed both joined with technology and ranking on one key? That is all-data, €599 for every column.
The questions a SOC actually asks
Answered without hedging.
Is WHOIS still useful after redaction?
Yes. Contact fields are widely redacted, and we do not carry contact PII either. What stays is exactly what infrastructure work runs on: registrar, creation, expiry and last-changed dates, RDAP status, and full DNS. Attribution by timeline and infrastructure, not by a registrant name.
How fresh are newly registered domains?
Exports rebuild daily and one payment gives a calendar month of re-downloads. Pull the newest export as often as your pipeline wants, then diff against yesterday for the new-registration feed.
What DNS records are in there?
A, AAAA, NS, MX, TXT, SOA, CAA, DS, DNSKEY, CNAME and more, per domain. Arrays for most types, and a host-plus-priority object for MX. The recipes above show the exact shapes.
Can I use this inside a product or a service?
Enrichment, detection, scoring and alerting built on the data are yours to run and to sell. Reselling the raw rows onward needs a written agreement. Talk to sales.
Does it work in an isolated environment?
Yes. It is one file. Move it into an air-gapped or restricted network and query it there with no outbound calls.
Run a pivot on 10,000 real rows
No account, no email. If the sample fits your hunt, the full rdap-whois export is €299 and dns is €199.