WhoisXML API launched a free MCP server that lets large language models query 17 WhoisXML APIs so users can retrieve internet infrastructure intelligence and run bulk or complex research via natural language. The server supports tools like Claude and Gemini and enables investigations such as historical WHOIS/DNS lookups and reverse lookups for IoCs. #WhoisXMLAPI #MCPServer
Keypoints
- WhoisXML API released an MCP server implementing the Model Context Protocol to let LLMs securely connect to external data sources.
- The MCP server currently supports 17 WhoisXML APIs, including WHOIS, WHOIS History, DNS, Reverse IP, SSL Certificates, and Threat Intelligence APIs.
- Users can query these APIs from a chatbot using natural language without writing code, and results are returned in natural language tailored to the request.
- The server enables multi-API, multi-step prompts for complex tasks like investigating malicious infrastructure by retrieving historical WHOIS/DNS data and performing reverse lookups on IoCs.
- The MCP server is free to use; new users receive free API credits and existing customers can configure it using their API keys.
- It is compatible with popular AI tools such as Anthropic Claude, Google Gemini, Cursor, and others.
- The MCP server can accelerate early-stage product development by combining data types (e.g., subdomains and WHOIS ownership) via a conversational interface for EASM, threat intelligence, and related platforms.
MITRE Techniques
- [T1583] Acquire Infrastructure – Used to retrieve infrastructure data (WHOIS, DNS, IP geolocation, IP netblocks) to identify and assemble malicious infrastructure components: ‘retrieving historical WHOIS and DNS data of domains, subdomains, and IP addresses tagged as indicators of compromise (IoCs)’.
- [T1598] Phishing for Information (Open-Source Intelligence) – Leveraging public APIs to gather contextual data about targets and infrastructure via natural-language queries: ‘users can simply ask the LLM of their choice to look up the data that they need, without needing to code anything’.
- [T1046] Network Service Discovery – Performing reverse lookups (Reverse IP, Reverse MX, Reverse NS) to discover services and relationships between hosts and domains: ‘running reverse lookups based on this data—all in one prompt’.
- [T1078] Valid Accounts – Using legitimate API access and existing API keys to query external data sources as part of investigations or tooling: ‘Existing WhoisXML API customers can use their API keys to configure the MCP server’.
Indicators of Compromise
- [Domains] context – historical WHOIS and DNS lookups for domains and subdomains (example usage: look up domain ownership and history), e.g., domain and subdomain discovery queries.
- [IP addresses] context – reverse IP and IP geolocation lookups to investigate IPs associated with malicious infrastructure (example usage: reverse lookups on IP addresses), e.g., IP geolocation and IP netblocks queries.
- [WHOIS records] context – WHOIS and WHOIS History retrieval for ownership and registration metadata, e.g., historical WHOIS entries and ownership details.
- [SSL Certificates] context – SSL certificate data to link infrastructure via certificates, e.g., SSL Certificates API lookups for certificate subjects and issuers.
- [Subdomain names] context – subdomain enumeration to discover related assets, e.g., subdomain and subdomain lookup API results.