API Documentation
Overview
Driftnet gathers DNS MX (Mail Exchange) and TXT (Text) records for each apex domain it encounters (driftnet.io, for example).
Searching MX records
To search for the DNS MX records associated with a domain:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/domain/mx?host=driftnet.io' \
| jq . \
| less -S{
"page": 0,
"pages": 1,
"result_count": 4,
"results": [
{
"date": "2019-05-13",
"id": "LraDbNTTSMSAxe72Cm2u8w",
"items": [
{
"context": "",
"is_metadata": true,
"type": "host",
"value": "driftnet.io"
},
{
"context": "dns-mx",
"is_metadata": false,
"type": "host",
"value": "aspmx.l.google.com"
},
{
"context": "dns-mx",
"is_metadata": false,
"type": "mx-preference",
"value": "1"
},
...
{
"context": "dns-ns",
"is_metadata": false,
"type": "host",
"value": "alexis.ns.cloudflare.com"
}
]
},
...
This tells us that a lookup for driftnet.io returned the MX record aspmx.l.google.com (context dns-mx), with priority 1. Other MX/priority pairs follow. After that, we learn that the return came from a particular nameserver (context dns-ns).
As usual, if we want to restrict to only the most recent observations for each apex domain, we can set most_recent=true on the call.
Searching TXT records
TXT searches are similar:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/domain/txt?host=driftnet.io' \
| jq . \
| less -S{
"page": 0,
"pages": 1,
"result_count": 3,
"results": [
{
"date": "2019-05-13",
"id": "nLKVSfW0ReCZfxjH0cuLew",
"items": [
{
"context": "",
"is_metadata": true,
"type": "host",
"value": "driftnet.io"
},
{
"context": "dns-txt",
"is_metadata": false,
"type": "txt",
"value": "_gitlab-pages-verification-code.driftnet.io TXT gitlab-pages-verification-code=280f927bd3b227587cc522fbee635413"
},
...
Here we see the list of TXT records as type txt, context dns-txt. Again, setting most_recent=true would limit us to the most recent TXT observations for each apex domain.
Reverse searching
TXT records can be reverse-searched by content. For example, if we wanted to find TXT records containing X-Clacks-Overhead: GNU Terry Pratchett, we could call
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/domain/txt?txt=pratchett' \
| jq . \
| less -SBoth MX and TXT records be reverse-searched by nameserver:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/domain/mx?nameserver=icann.org' \
| jq . \
| less -Scurl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/domain/txt?nameserver=icann.org' \
| jq . \
| less -SSummarization
It is often useful to roll up the results of a search. To get all the TXT records served up by an *.icann.org DNS server, we might call
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/domain/txt?nameserver=icann.org&summarize=txt&summary_context=dns-txt' \
| jq . \
| less -S{
"summary": {
"other": 0,
"values": {
"$Id: 224.in-addr.arpa 4115 2015-06-05 20:27:24Z mvergara $": 2,
"$Id: 226.in-addr.arpa 4117 2015-06-05 20:27:46Z mvergara $": 3,
"$Id: 227.in-addr.arpa 4118 2015-06-05 20:27:57Z mvergara $": 2,
...
The summary options works in the same way as described in the Internet Scans section; see that section for more details.
Additional options
These endpoints also accept the from=, to= andfilter= and page= parameters and those parameters work exactly as described in the Internet Scans section.