Check IOC overview

The information returned by the Check IOC service cannot be used for commercial purposes without ThreatSTOP's written agreement.

  • The Check IOC API service provides a mechanism to look up a domain or IP address in the database, and return the list of targets that an IOC is currently (active section of the response), or was previously present in (history section of the response).

  • The service also returns the list of User-defined lists that the domain or IP address has been added to.

Record matching

The matching algorithm behaves as an IP firewall or DNS Firewall would when selecting the records it returns.

  • Requests for an IP address will match any subnet that contains the IP address.
  • Requests for a FQDN will match the exact domain, as well as wildcard. For example, www.example.tld would match records for:
    • www.example.tld
    • *.example.tld
    • *.tld

The API response includes the exact record(s) that match the requested address for each target.

Associated records

The Check IOC service will also return the list of A DNS records currently resolved from the requested FQDN (Domain name requests only).


The Check IOC service will also return the list of records for subdomains of the requested FQDN (Domain name requests only). If subdomains are requested, the Check IOC service will includes records for when is the argument.

Note that the RPZ feature will not block if the rule is for A rule for the FQDN ( or a wildcard entry for the domain (* is needed to block. However, it can be useful to retrieve all records known for a given domain.


For each record, the response will include two timestamps as Epoch Unix timestamps :

  • first_identified: the first time the record was added to the target
  • last_used: the last time the record was added to the target.

If the record is in the active array, the last_used value is also when the contents of the target were last refreshed.

Name server IOCs

ThreatSTOP’s DNS Defense provides the ability to block DNS requests based on the requested FQDN or the records returned by the query (IP address or another FQDN).

It is also able to block requests based on the FQDN or IP address of the DNS servers involved in answering the DNS query.

These IOCs are output as <fqdn>.rpz-nsname (name server FQDN) and <netmask.ip address>.rpz-nsip.