For security and OSINT teams

The whole namespace, on your own hardware

406M active domains with full RDAP, WHOIS and DNS, rebuilt daily. Hunt lookalikes, pivot on infrastructure, and enrich alerts locally. No per-lookup meter in the middle of an investigation, and no vendor watching your queries.

Get a free 10K sample See rdap-whois, €299

Jump to the hunting recipes →

376MRDAP and WHOIS records
344Mdomains with full DNS
Offlineno per-lookup meter, no query logs
Dailynewly registered domains land fast

Hunt on the file, not on someone's API

Four recipes on the real schema. Every key below ships in the export. Run any of them against the free 10,000-row sample first.

DomainDomain creation dateDomain expiration dateDomain last changedRegistrarRDAP/WHOIS methodResponse Status RDAP/WHOISDNS records.NSDNS records.ADNS records.MXDNS records.TXT

Freshly registered domains

Every domain first seen this month, the raw material for typosquat and brand-abuse triage. Filter on the WHOIS creation date.

bash + jq
zstdcat webatla-rdap-whois-2026-07-10.jsonl.zst |
jq -c 'select(."Domain creation date" != null
   and (."Domain creation date"[0:7]) >= "2026-07")
   | {domain: .Domain, created: ."Domain creation date", registrar: .Registrar}' \
  > new-this-month.jsonl

Pivot on a nameserver set

Find every domain served by an infrastructure you already flagged. Swap the pattern for the NS you are tracking.

bash + jq
zstdcat webatla-dns-2026-07-10.jsonl.zst |
jq -c 'select((."DNS records".NS // []) | any(test("registrar-servers\\.com")))
   | {domain: .Domain, ns: ."DNS records".NS}' \
  > on-that-ns.jsonl

IP to domains, the whole file

Build a reverse map from A records. Group by IP to see how many domains sit on one host, the shared-infrastructure signal.

bash + jq
zstdcat webatla-dns-2026-07-10.jsonl.zst |
jq -r 'select(."DNS records".A)
   | ."DNS records".A[] as $ip
   | "\($ip)\t\(.Domain)"' |
sort | uniq -c -w15 | sort -rn > ip-density.txt

Spoofable domains, at scale

Domains that publish SPF but have no MX are common phishing and spoofing candidates. Constant-memory pass over the full file.

python
import io, json, zstandard as zstd

with open("webatla-dns-2026-07-10.jsonl.zst", "rb") as f:
    for line in io.TextIOWrapper(zstd.ZstdDecompressor().stream_reader(f)):
        d = (json.loads(line).get("DNS records") or {})
        txt = " ".join(d.get("TXT") or [])
        if not d.get("MX") and "v=spf1" in txt:
            print(json.loads(line)["Domain"])

The DNS record field holds A, AAAA, NS, MX, TXT, SOA, CAA and more, arrays for most types and a host-plus-priority object for MX. The recipes handle those shapes as they really ship.

Why a file beats a lookup API for this work

Investigations are wide and fast. Metered lookups fight both.

No meter mid-hunt

Pivot across a whole campaign without watching a per-query counter or a monthly cap decide when you stop.

Your queries stay yours

The file sits on your hardware. What you look up, and when, is never a request to a third party that could log it.

Enrichment at line rate

Join a full domain feed against your alerts and IOCs locally. No round trip per indicator.

Reproducible snapshots

A dated export is a fixed point you can re-run a hunt against. A live API answers differently tomorrow.

Air-gap friendly

One file moves into an isolated environment. No outbound calls required to use it there.

Full DNS, not just an answer

NS, MX, TXT, CAA and the rest per domain, so infrastructure pivots do not need a second data source.

The questions a SOC actually asks

Answered without hedging.

Is WHOIS still useful after redaction?

Yes. Contact fields are widely redacted, and we do not carry contact PII either. What stays is exactly what infrastructure work runs on: registrar, creation, expiry and last-changed dates, RDAP status, and full DNS. Attribution by timeline and infrastructure, not by a registrant name.

How fresh are newly registered domains?

Exports rebuild daily and one payment gives a calendar month of re-downloads. Pull the newest export as often as your pipeline wants, then diff against yesterday for the new-registration feed.

What DNS records are in there?

A, AAAA, NS, MX, TXT, SOA, CAA, DS, DNSKEY, CNAME and more, per domain. Arrays for most types, and a host-plus-priority object for MX. The recipes above show the exact shapes.

Can I use this inside a product or a service?

Enrichment, detection, scoring and alerting built on the data are yours to run and to sell. Reselling the raw rows onward needs a written agreement. Talk to sales.

Does it work in an isolated environment?

Yes. It is one file. Move it into an air-gapped or restricted network and query it there with no outbound calls.

Run a pivot on 10,000 real rows

No account, no email. If the sample fits your hunt, the full rdap-whois export is €299 and dns is €199.