Recon for Bug Bounty & Security Research

509M+ archived domains, historical DNS, reverse-IP — the recon dataset for finding subdomains and endpoints within authorized targets.

The same passive-DNS dataset that powers commercial recon tools — without the per-query pricing.

Get API Access

What You Get

Everything you'd expect from a passive-DNS recon dataset, plus historical depth.

DNSArchive is built on continuous DNS observation. We see what's resolving across the internet and store it with timestamps, so you can answer questions that point-in-time tools can't:

  • Subdomain enumeration — every subdomain we've ever observed for a target apex, including the ones that aren't resolving anymore but might still have ACL leftovers
  • Reverse IP — every domain that's ever resolved to a given IP. Find related properties under the same operator
  • Historical resolution — what did this hostname point at 18 months ago? Useful for finding old endpoints that may not have been fully decommissioned
  • Service fingerprinting — nameserver, MX, and CNAME data for every observed domain, which often tells you what stack a target is running

Recon Workflows

Common patterns used by bounty hunters and CTF players on our dataset.

Full Subdomain Sweep

One API call returns every subdomain we've observed for an apex — even ones not currently in DNS. More complete than tools that only see live records.

IP → Pivot

Found a target IP? Reverse-lookup gives you every other domain that has resolved to it — often the entry point to other in-scope properties.

Historical Endpoints

old-api.target.com may not resolve today, but if it ever did, you'll see it. Forgotten endpoints are some of the most productive bounty targets.

Service Discovery

Search for nameserver patterns, MX domains, or specific CDN/hosting fingerprints across our entire dataset.

Scriptable JSON API

Plain HTTP+JSON, paginated, curl-friendly. Drop it into your bash recon scripts or wire it into amass, subfinder, etc.

Newly Observed Domains

For attack-surface watchers: subscribe to a feed of every new domain we observe, useful for catching newly-stood-up infra fast.

Try it on a target you're authorized to test

Free to search the full database. Paid plans add API access for automation.

The web search at /search is free with no signup. Useful for one-off recon when you're getting started on a new program.

When you want to integrate this into your recon scripts, the API gives you the same data with pagination and JSON output for $20/month at the entry tier — less than most VPN subscriptions.

View API Plans API docs

Use within scope

DNSArchive is a passive-DNS dataset. Looking up data we've already collected isn't an active probe of a target — we observed those resolutions independently. That said, you should always confirm targets are within an authorized program's scope before doing anything with what you find. We don't grant permission for testing — the program owner does.

If you find something interesting in our data and want to verify or expand on it, the API is designed for scripted recon. If you're doing larger campaigns and want a higher request volume, email sales@noc.org — we work with several active bounty hunters and red teams on custom plans.

Drop it into your recon stack today

$20/month for the entry plan. Cancel anytime.

View Plans