Newly Active Domains (NAD)
Domains are sometimes warmed up — often showing the appearance of legit activity — to avoid detection before suddenly turning malicious, making this data a very valuable subset of domains to analyze when looking for malicious activity.
A domain is considered newly active when its activity (queries originating from different IPs) transitions from dormant or nearly dormant to active or very active.
This data feed is currently experimental and access is granted on a case-by-case basis.
Format
Pricing
€1,999/month — talk to us at contact@dns0.eu to set up the subscription and get your API key.
Threat intelligence partners get free or discounted access to this data feed.
Authentication
Authenticate by passing your API key as Bearer token in the Authorization header.
The WebSocket streaming endpoint is available without authentication for testing purposes (up to 10 minutes per day).
Stream
WebSocket
WebSocket
The WebSocket endpoint is available at the following URL.
Google Cloud Pub/Sub
Google Cloud Pub/Sub
Upon request, you will be granted the pubsub.subscriber role for the topic projects/dns0eu/topics/data.nad.
Amazon SNS
Amazon SNS
Evaluating demand, please register your interest at contact@dns0.eu.
Azure Event Hubs
Azure Event Hubs
Evaluating demand, please register your interest at contact@dns0.eu.
Apache Kafka
Apache Kafka
Evaluating demand, please register your interest at contact@dns0.eu.
Download
Newline-delimited JSON dumps of the previous day’s stream are made available daily at the following URL.
The file is updated every day between midnight and 1am UTC. Use conditional
requests (If-Modified-Since) or make use of HEAD requests to avoid
unnecessary bandwidth usage.