Newly Observed Domains Feed

A continuous stream of every domain we see resolving for the first time. Block phishing infrastructure faster than threat-intel feeds catch up.

Get API Access See live samples

Phishing campaigns burn through fresh domains in hours. By the time block-lists catch up, the damage is done.

Subscribe to the Feed

What it is

Domains, the moment they start resolving in DNS.

DNSArchive observes domain resolution continuously across the internet. The Newly Observed Domains feed is the firehose of every previously-unseen domain we record — usually within hours of first resolution, sometimes within minutes.

For security teams this is one of the most valuable signals you can have: ~95% of phishing and malware domains are registered, used, and abandoned within a few days. By the time a domain shows up on a commercial threat-intel feed, the campaign is often already over.

Our feed sees the domain when DNS does. That's the earliest possible point you can act on it.

Use Cases

How security teams use this feed.

Phishing Block-Lists

Pipe new domains into your DNS resolver, secure web gateway, or email filter. Block first, allow on review — the right default for high-risk environments.

Threat Hunting

Run new domains through your enrichment pipeline (WHOIS, certificate transparency, hosting reputation) to surface high-confidence indicators within minutes of registration.

Brand Monitoring Input

Match new domains against your own brand keywords. Combined with our Brand Protection feature, this happens automatically.

Campaign Tracking

Pivot new domains by hosting IP, nameserver, or registrar pattern to map an entire campaign before it lights up.

SIEM Enrichment

Tag traffic in your SIEM where the destination domain is younger than X days. Strong heuristic for blocking unknown traffic in regulated environments.

Research Datasets

Academics and security researchers use historical newly-observed-domain data to study attack patterns, registration abuse, and domain lifecycle.

How to consume the feed

Plain JSON over HTTPS, paginated. Drop into any pipeline.

The /latest page shows the most recent domains in the human-readable view — great for spot-checking and getting a feel for what the feed contains.

For programmatic access, the JSON API at my.dnsarchive.net/api/ exposes the same data with pagination, time-window filtering, and per-domain metadata (NS, MX, observed IPs). Wire it into a cron job, an enrichment Lambda, or a SOAR playbook.

Webhook delivery and S3 dump options are on the roadmap. If you have a specific consumption pattern in mind, email sales@noc.org.

View Plans API docs

Sample payload

What you get back when you hit the API for newly observed domains:

{
  "domain": "example-new-domain.com",
  "first_observed": "2026-05-09T07:14:32Z",
  "ipv4": ["192.0.2.42"],
  "ns": ["ns1.somehoster.example.", "ns2.somehoster.example."],
  "mx": ["mail.example-new-domain.com."]
}

Each record represents a domain at the moment of first observation. The IP, NS, and MX values are what we saw at that moment — later changes are tracked separately and queryable through the historical DNS endpoints.

Get the feed today

$20/month for entry-level API access. Higher volumes by request.

View Plans