Find every domain on an IP.
Pass an IP address or CIDR. Get back every domain that resolves to it. Useful for hosting-cluster discovery and infrastructure attribution.
One pivot from IP to its full footprint.
The Reverse IP API queries the indexed corpus for every domain whose A or AAAA records point at a given IP address or CIDR block. Match is on current or historical DNS state; the response metadata distinguishes.
Pass the IP and optionally a CIDR mask. The corpus carries observation timestamps, so the same IP queried at different times can yield different domain sets.
This is one of the most common pivots in IR and hunt workflows. An IP surfaced in telemetry unlocks every domain that pointed at it, including domains long since moved off.
One endpoint, one required parameter.
Endpoint:
GET https://api.deepinfo.com/v1/discovery/reverse-ip?ip={ip}Parameters:
Authentication is by API token in the request header. See docs.deepinfo.com for the full request reference.
See what the API returns.
Real response structure for the Find every domain on an IP endpoint. Field coverage may vary based on query parameters and data availability.
{
"_request": {"ip": "203.0.113.42"},
"results": [
{"fqdn": "deepinfo.com", "first_seen": "2024-08-14", "last_seen": "current"},
{"fqdn": "www.deepinfo.com", "first_seen": "2024-08-14", "last_seen": "current"},
{"fqdn": "old-tenant-a.io", "first_seen": "2022-01-04", "last_seen": "2024-07-30"},
{"fqdn": "old-tenant-b.net", "first_seen": "2021-06-22", "last_seen": "2023-11-18"}
],
"pagination": {"page": 1, "page_size": 50, "total": 12}
}Sample response shown. Real responses depend on query parameters, data availability, and API version. Talk to us for full schema documentation.
Workflows this API plugs into directly.
Incident Investigation and Response
Pivot from an IP in incident telemetry to every domain that pointed at it, current and historical.
Read the use caseThreat Hunting
Cluster adversary infrastructure by shared hosting at IP or CIDR scope.
Read the use caseAttack Surface Management
Surface every hostname pointing at any IP in your address space.
Read the use case“Hosting-cluster discovery from one IP is the first pivot in most of our investigations. Returning the full domain set in seconds, not minutes, changed what we can do during live triage.”
Other lookup APIs.
Current Whois state for any domain, in one call.
The Whois Lookup API returns the registration record for a domain right now: registrar, dates, registrant, name servers, and status codes.
See API APICurrent IP allocation state, in one call.
Pass an IP address.
See API APICurrent DNS state for an FQDN, in one call.
Pass an FQDN and one or more record types.
See API APICurrent TLS state for a host, in one call.
Pass a domain or IP.
See API APIFind every domain on an MX record.
Pass an MX record value.
See API APIFind every domain on a name server.
Pass a name server hostname.
See API APICapture a target page as the user sees it.
Pass a URL.
See API APIDetect the technology stack of a target, in one call.
Pass a URL.
See API APILive web-page data for a target, in one call.
Pass a URL.
See API APIScan a target's open ports, in one call.
Pass a target.
See APIRun a reverse-IP pivot, from any address.
We'll set up token access and walk through how teams plug this into IR and ASM workflows.