API Documentation

Getting Started Internet Scans Scan Content Open Ports Domain Scans Forward DNS DNS MX & TXT Reverse DNS IP Registrations Domain Registrations Certificate Transparency JARM Fingerprints Favicon Fingerprints

Domain Scans

Overview

Many web servers respond differently when a domain name is presented to them. The same server can be configured to provide a different TLS certificate and/or HTTP response for each of potentially very many domain names.

To cover off this case, Driftnet uses DNS data to match up domain names to IPs, and then presents those domain names during the scan process.

This feature is particularly important in discovering cloud-hosted services, where the only indication that a particular server is in use by a particular company is the domain name.

Domain scan searches

Domain scan searches use the scan/domains endpoint, which works in a very similar way to the scan/protocols endpoint:

Example Request

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/domains?host=driftnet.io' \
  | jq . \
  | less -S

Example Response

{
  "page": 0,
  "pages": 1,
  "result_count": 28,
  "results": [
    {
      "date": "2019-05-13",
      "id": "xqdCDXoHSX-E1_V0rhGw_g",
      "items": [
        {
          "context": "",
          "is_metadata": true,
          "type": "ip",
          "value": "104.26.6.233"
        },
        {
          "context": "",
          "is_metadata": true,
          "type": "port-tcp",
          "value": "443"
        },
        ...

Note the third item, which has an empty context and a type of host. This is the domain name that was presented to the remote server during the scan.

Including indirect hosts

By default, a search by host will only match cases where the host being searched is the one that was scanned. You might also want to look for a type of host in any context, i.e. including results with some other reference to the host searched for. To get these results, add the indirect=true qualifier:

Example Request

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/domains?host=driftnet.io&indirect=true' \
  | jq . \
  | less -S

Example Response

{
  "page": 0,
  "pages": 3,
  "result_count": 292,
  "results": [
    {
      "date": "2019-05-13",
      "id": "fAGY0axPRdurv8T9WqAtsQ",
      "items": [
        {
          "context": "",
          "is_metadata": true,
          "type": "ip",
          "value": "151.101.65.195"
        },
        {
          "context": "",
          "is_metadata": true,
          "type": "port-tcp",
          "value": "443"
        },
        {
          "context": "",
          "is_metadata": true,
          "type": "host",
          "value": "example.com"
        },
        ...

With the indirect=true parameter set we include results which present a certificate that is valid for host driftnet.io, but where driftnet.io was not the hostname presented in the scan. This often occurs when a CDN has bundled many unrelated hostnames into a single certificate.

Most-recent results

Driftnet stores results as a time series. Often, you only want to know the most recent result for an {ip, port, domain} tuple. To obtain only this data, set most_recent=true:

Example Request

curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/domains?host=google.com&most_recent=true' \
  | jq . \
  | less -S

Additional features

All other features described in the Internet Scans section are also available for the scan/domains endpoint, including filtering, boolean searches and summarization. Prioritization is also available, and works in a similar way.

Body searches are not currently available for domain scan data.