Find every domain on a name server.
Pass a name server hostname. Get back every domain that uses it. Useful for hosting-provider mapping and infrastructure clustering.
One pivot from name server to its full footprint.
The Reverse NS API queries the indexed corpus for every domain that uses a given name server. Match is on either current or historical name-server records; use the response metadata to distinguish.
Pass the name server hostname (without trailing dot). Use apex to deduplicate to apex domains and include_subdomains to expand to FQDNs.
This API is the right pivot when an attribution question shifts from 'who owns this' to 'who shares this hosting infrastructure.' Adversaries reuse name servers across campaigns; legitimate hosting providers anchor large clusters by definition.
One endpoint, one required parameter.
Endpoint:
GET https://api.deepinfo.com/v1/discovery/reverse-ns?ns={ns}Parameters:
Authentication is by API token in the request header. See docs.deepinfo.com for the full request reference.
See what the API returns.
Real response structure for the Find every domain on a name server endpoint. Field coverage may vary based on query parameters and data availability.
{
"_request": {"ns": "ns1.example-host.com"},
"results": [
{"fqdn": "campaign-a-launch.com", "ns_first_seen": "2025-08-12"},
{"fqdn": "campaign-b-launch.com", "ns_first_seen": "2025-08-12"},
{"fqdn": "phish-portal-secure.io", "ns_first_seen": "2026-01-04"},
{"fqdn": "verify-account-now.net", "ns_first_seen": "2026-03-19"}
],
"pagination": {"page": 1, "page_size": 50, "total": 1284}
}Sample response shown. Real responses depend on query parameters, data availability, and API version. Talk to us for full schema documentation.
Workflows this API plugs into directly.
Threat Hunting
Cluster adversary infrastructure by shared name-server reuse.
Read the use caseIncident Investigation and Response
Pivot from a name server surfaced in incident telemetry to its full domain footprint.
Read the use caseBrand Impersonation Protection
Map the hosting cluster behind a confirmed impersonating registration.
Read the use case“Name-server clustering exposes hosting providers used by threat actors at scale. The reverse-NS shape returns clean enough for direct ingestion into our infrastructure-attribution graph.”
Other lookup APIs.
Current Whois state for any domain, in one call.
The Whois Lookup API returns the registration record for a domain right now: registrar, dates, registrant, name servers, and status codes.
See API APICurrent IP allocation state, in one call.
Pass an IP address.
See API APICurrent DNS state for an FQDN, in one call.
Pass an FQDN and one or more record types.
See API APICurrent TLS state for a host, in one call.
Pass a domain or IP.
See API APIFind every domain on an MX record.
Pass an MX record value.
See API APIFind every domain on an IP.
Pass an IP address or CIDR.
See API APICapture a target page as the user sees it.
Pass a URL.
See API APIDetect the technology stack of a target, in one call.
Pass a URL.
See API APILive web-page data for a target, in one call.
Pass a URL.
See API APIScan a target's open ports, in one call.
Pass a target.
See APIRun a reverse-NS pivot, from any hostname.
We'll set up token access and walk through how teams plug this into hunt and IR workflows.