Historical DNS at 100B+ records.
Historical DNS record snapshots including A, AAAA, MX, NS, TXT, CNAME, and SOA. 100B+ records across the long tail of internet observation.
Multi-snapshot DNS state, at internet scale.
The Historical DNS Records Feed is the bulk version of the DNS History API. The API answers single-FQDN queries; the feed delivers the full multi-snapshot corpus for analytical workloads, infrastructure clustering, and offline pivot graphs.
Each record is one DNS observation of one FQDN of one record type at one point in time. The corpus exceeds 100B records and covers A, AAAA, MX, NS, TXT, CNAME, and SOA across the public internet. Sources include passive DNS partnerships, active scanning, certificate transparency cross-reference, and Deepinfo's own resolution pipeline.
Use this feed for IP-pivot graphs across years of state, name-server reuse analysis, MX-clustering of phishing infrastructure, or any research workflow that benefits from offline indexing of the full historical DNS state.
Historical bulk export, delivered on demand.
Available as a one-time bulk export or as periodic refreshes against the latest cumulative snapshot. Authenticate with an API token scoped to the feed.
Delivery
Historical bulk export. The API call returns metadata plus a signed download_url. S3 and SFTP for large transfers.
Format
JSON or CSV. Partitioned by record type and observation year for efficient downstream processing.
Refresh cadence
On-demand bulk export; periodic refresh available. The cumulative snapshot reflects the full observation window.
Authentication
API token in the request header. Per-feed scoping. Reference at docs.deepinfo.com.
What you actually get.
The API response, with the metadata for the latest cumulative snapshot:
{
"download_url": "https://feeds.deepinfo.com/historical-dns/2026-05-02/historical-dns.json.gz?...",
"file_format": "json",
"file_size": 1184237194831,
"file_update_time": "2026-05-02T03:14:27Z",
"line_count": 108374291847
}A few representative records from the JSON-formatted file at download_url:
{"fqdn":"www.acme.com","type":"A","value":"203.0.113.42","ttl":3600,"observed_at":"2018-03-12T08:14:00Z","source":"passive_dns"}
{"fqdn":"www.acme.com","type":"A","value":"198.51.100.91","ttl":300,"observed_at":"2021-04-08T16:22:00Z","source":"active_scan"}
{"fqdn":"acme.com","type":"MX","value":"10 mail.acme.com","ttl":3600,"observed_at":"2018-03-12T08:14:00Z","source":"passive_dns"}
{"fqdn":"deepinfo.com","type":"NS","value":"ns-cloud-a1.googledomains.com","ttl":86400,"observed_at":"2018-06-13T10:00:00Z","source":"active_scan"}Workflows this feed powers directly.
Incident Investigation and Response
Reconstruct full DNS state for any FQDN at any point in the corpus window. The IP that resolved at the time of the incident is the one that matters.
Read the use caseThreat Hunting
Cluster infrastructure by IP, name server, or MX fingerprint across years of observation.
Read the use caseThreat Intelligence Operations
Build adversary-infrastructure intelligence on top of the long historical record, not just current state.
Read the use case“Historical DNS at this depth is what investigations actually need. Reconstructing where a domain pointed three years ago, across A, MX, and NS records, used to mean cross-referencing four sources. One feed handles it now.”
Other historical feeds.
Historical SSL/TLS at 20B+ records.
Historical SSL/TLS certificate data across domains and IP addresses. 20B+ records sourced from certificate transparency logs and active TLS scanning.
See feed DATA FEEDUp to 10 years of Whois history, in bulk.
Up to 10 years of historical Whois snapshots. 100B+ records covering registrar, registrant, dates, name servers, and status codes across every monitored TLD.
See feedGet the full DNS history, in bulk.
Most teams scope to a record-type or year-range subset first. We'll set up token access and discuss partitioning that fits your workload.