iDig API
iDig is a comprehensive DNS intelligence and domain security API. It wraps
dig, delv, WHOIS, RDAP, and certificate transparency logs into a single authenticated
REST API — designed for developers, security auditors, and AI agents.
https://api.softricks.net/idigOpenAPI
openapi.json
Quick Start
1. Get a Token
curl -X POST "https://api.softricks.net/idig/token?scope=api"Returns a token hash you'll use for all subsequent requests. Free tier: 100 requests/month.
2. Make Your First Query
curl "https://api.softricks.net/idig/?d=example.com&rr=a&token=YOUR_TOKEN"3. Check Your Usage
curl "https://api.softricks.net/idig/usage?token=YOUR_TOKEN"Authentication
Every request requires a token query parameter. Tokens are scoped:
| Scope | Description | How to Get |
|---|---|---|
api |
General API access | Self-service via POST /token |
mobile |
Mobile app access | Self-service via POST /token |
agent |
AI agent access | Requires admin secret |
mcp |
MCP protocol access | Requires admin secret |
Plans & Rate Limits
| Plan | Monthly Requests | Batch Domains | Price |
|---|---|---|---|
| Free | 100 | N/A | $0 |
| Pro | 10,000 | Up to 10 | ~$9/mo |
| Business | 100,000 | Up to 50 | ~$29/mo |
| Unlimited | No cap | Up to 100 | Admin-only |
Usage headers returned with every response:
X-Idig-Used— requests used this monthX-Idig-Limit— monthly capX-Idig-Remaining— requests remaining
DNS Lookup GET /
What is DNS? The Domain Name System is the internet's phone book. When you type
example.com into a browser, DNS translates that name into an IP address like
93.184.216.34. DNS stores many record types beyond IP addresses — mail servers (MX), text data
(TXT), security policies (CAA), service locations (SRV), and more. Each record type serves a different purpose in
the internet's infrastructure.
The foundational endpoint. Query any DNS record type for any domain.
# A records (IPv4 addresses)
curl "https://api.softricks.net/idig/?d=example.com&rr=a&token=TOKEN"
# MX records (mail servers)
curl "https://api.softricks.net/idig/?d=example.com&rr=mx&token=TOKEN"
# All records at once
curl "https://api.softricks.net/idig/?d=example.com&rr=all&token=TOKEN"Supported record types: a ns soa ds
txt cname caa srv tlsa https
svcb any all
Options:
ns=8.8.8.8— query a specific nameserverauth=yes— query authoritative nameservers directlyquadA=yes— include AAAA (IPv6) records alongside A
DNSSEC Validation GET /dnssec/validate
What is DNSSEC? DNSSEC adds cryptographic signatures to DNS responses. Without it, DNS answers
are unsigned and can be spoofed — an attacker could replace the real IP with a malicious one (DNS cache
poisoning). DNSSEC creates a chain of trust from the root zone (
.) through the TLD
(.com) to the domain. Each level signs the level below it. The chain is: Root → TLD
→ Domain. If any link breaks, validation fails and the domain becomes "bogus."
Validates the full DNSSEC chain of trust using delv with a local Unbound resolver.
curl "https://api.softricks.net/idig/dnssec/validate?d=cloudflare.com&token=TOKEN"Returns status (secure/insecure/bogus), validated boolean, reason_codes,
and remediation steps.
DNSSEC Health GET /dnssec/health
Why key management matters: DNSSEC relies on cryptographic keys (KSK and ZSK) that must be
rotated periodically, use strong algorithms, and have valid signatures. Weak keys (RSA-1024, SHA-1) can be
brute-forced. Expired signatures make the zone appear "bogus." A mismatch between the DS record at the parent and
the DNSKEY in the zone breaks the chain entirely. NSEC records can leak zone contents through "zone walking" if
not configured with NSEC3.
Deep key management audit — algorithm strength, key rollover readiness, signature lifetimes, DS/DNSKEY consistency, and NSEC3 exposure.
curl "https://api.softricks.net/idig/dnssec/health?d=example.com&token=TOKEN"Chain of Trust
The response includes a chain array mapping the full DNSSEC trust path from root to your domain.
Each link contains the DNSKEY records at that zone, the DS records from the parent, and a
chain_intact flag indicating whether the DS→DNSKEY handoff is valid at that level.
"chain": [
{
"zone": ".",
"level": "root",
"dnskeys": [{"key_tag": "20326", "type": "KSK", "algorithm": "RSA/SHA-256"}, ...],
"chain_intact": true,
"ds_to_child": [{"key_tag": "19718", "algorithm": "ECDSAP256SHA256", "digest_type": "SHA-256"}]
},
{
"zone": "com.",
"level": "tld",
"dnskeys": [{"key_tag": "19718", "type": "KSK", ...}, ...],
"ds_from_parent": [{"key_tag": "19718", ...}],
"chain_intact": true,
"matching_key_tags": ["19718"],
"ds_to_child": [{"key_tag": "2371", ...}]
},
{
"zone": "example.com.",
"level": "domain",
"dnskeys": [{"key_tag": "2371", "type": "KSK", ...}, ...],
"ds_from_parent": [{"key_tag": "2371", ...}],
"chain_intact": true,
"matching_key_tags": ["2371"]
}
],
"chain_intact": truechain_intact(top-level) —trueif every link validates end-to-endmatching_key_tags— which DNSKEY key tags match the DS from the parentbroken: true— appears on the first link where the chain fails, pinpointing the exact break- If a link breaks,
warningsandrecommendationsare added with actionable guidance
Email Security Audit GET /email/security
Email authentication in a nutshell: Email was designed without sender verification. Anyone can
send email claiming to be from your domain. Four standards fix this:
- SPF (Sender Policy Framework) — a DNS TXT record listing which IPs can send email for
your domain. The
-allqualifier means "reject everything else." - DKIM (DomainKeys Identified Mail) — the sending server cryptographically signs each email. The public key is in DNS. Receivers verify the signature to confirm the email wasn't altered.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — tells
receivers what to do when SPF and DKIM fail:
none(report),quarantine(spam), orreject(drop). Also enables aggregate reporting. - BIMI (Brand Indicators for Message Identification) — a DNS TXT record at
default._bimi.<domain>pointing to your brand's SVG logo and optional VMC certificate. Gmail, Yahoo, and Apple Mail display the logo next to authenticated emails.
Four-pillar email authentication check: SPF + DKIM + DMARC + BIMI. Returns an A–F grade.
curl "https://api.softricks.net/idig/email/security?d=example.com&token=TOKEN"- SPF — record syntax, qualifier, DNS lookup count (max 10)
- DKIM — probes 20+ selectors including provider-specific ones, key type/size
- DMARC — policy enforcement, reporting addresses, alignment mode
- BIMI — brand logo URL and VMC presence
MX Health GET /mx/check
How email routing works: MX records tell the world which servers accept email for your domain.
Mail servers query MX records, sort by priority (lower = preferred), and connect to the best available. Common
misconfigurations: pointing MX to an IP instead of a hostname (RFC 5321 violation), CNAME as MX target (RFC 2181
violation), and single MX server (no redundancy).
curl "https://api.softricks.net/idig/mx/check?d=example.com&token=TOKEN"Blacklist Check GET /blacklist/check
What are DNS blacklists? DNSBLs are databases of IPs known to send spam. Email servers query
these lists to check sender IPs. Major lists include Spamhaus, Barracuda, SORBS, and SpamCop. Being listed on even
one major blacklist severely impacts email deliverability. Listings can happen from compromised servers, open
relays, or shared hosting neighbors.
curl "https://api.softricks.net/idig/blacklist/check?d=example.com&token=TOKEN"SSL/TLS Certificate GET /ssl/check
What is SSL/TLS? TLS encrypts the connection between browser and server (the padlock icon). A TLS
certificate proves the server's identity — issued by a trusted Certificate Authority (CA), it contains the
domain name, issuer, validity period, and public key. Expired certificates cause browser warnings. SANs (Subject
Alternative Names) let one cert cover multiple domains.
curl "https://api.softricks.net/idig/ssl/check?d=example.com&token=TOKEN"Returns issuer, validity window, SANs, chain depth, and days until expiry.
DANE/TLSA Validation GET /dane/validate
What is DANE? DANE uses DNSSEC-signed TLSA records to pin a specific TLS certificate or CA to a
domain. Instead of trusting any of hundreds of CAs, the domain owner declares in DNS exactly which certificate
should be used. This prevents rogue CA attacks. DANE is especially important for SMTP server-to-server encryption
where traditional certificate validation is weak.
curl "https://api.softricks.net/idig/dane/validate?d=example.com&token=TOKEN"HTTP/HTTPS Reachability GET /http/check
Why test HTTP/HTTPS? DNS can be perfect but the web server might be down or misconfigured. Best
practice: HTTP (port 80) should 301-redirect to HTTPS (port 443). HTTPS should respond with a valid certificate.
This check catches missing redirects, expired certs, and servers that are DNS-reachable but not web-reachable.
curl "https://api.softricks.net/idig/http/check?d=example.com&token=TOKEN"WHOIS / RDAP GET /whois
What is WHOIS/RDAP? WHOIS is the original protocol for querying domain registration info —
who registered it, when, which registrar, when it expires. It's a plain-text protocol from the 1980s with no
standard format. RDAP is its modern replacement: structured JSON, HTTPS, and less aggressive rate
limiting. iDig uses RDAP as primary for 22+ TLDs with WHOIS fallback.
curl "https://api.softricks.net/idig/whois?d=example.com&token=TOKEN"Returns registrar, dates, nameservers, DNSSEC status, and a source field ("rdap" or "whois").
Domain Status GET /domain/status
What are EPP status codes? EPP is the standard for managing domain names. Every domain has status
flags controlling allowed operations.
clientTransferProhibited prevents unauthorized transfers.
serverDeleteProhibited locks against deletion at the registry level. Without these locks, a
compromised registrar account could transfer your domain in minutes.
curl "https://api.softricks.net/idig/domain/status?d=example.com&token=TOKEN"IP Geolocation GET /geo
What is IP geolocation? IP addresses are allocated from regional blocks assigned to ISPs and data
centers. Geolocation databases map these ranges to physical locations. Useful for verifying hosting regions,
detecting unexpected changes, and understanding your infrastructure's geographic footprint. ASN data reveals which
network operator owns the IP block.
curl "https://api.softricks.net/idig/geo?d=example.com&token=TOKEN"Returns country, city, ISP, ASN, and hosting provider detection.
DNS Propagation GET /propagation
How DNS propagation works: DNS changes don't take effect instantly. Resolvers worldwide cache
records for their TTL duration. Until the old TTL expires, different resolvers may return different answers. This
"propagation delay" ranges from minutes to days depending on TTL. During migrations, verify that all major
resolvers see the new record.
curl "https://api.softricks.net/idig/propagation?d=example.com&token=TOKEN"Checks answers across 8 global resolvers: Google, Cloudflare, Quad9, OpenDNS, and more.
Zone Consistency GET /zone/consistency
Why zone consistency matters: Most domains have 2+ authoritative nameservers for redundancy. They
must serve identical data. A stale SOA serial means outdated records — some users get old IPs, others get
new ones. SOA serial mismatches are the #1 cause of "works for me but not my users" DNS problems.
curl "https://api.softricks.net/idig/zone/consistency?d=example.com&token=TOKEN"AXFR Zone Transfer GET /zone/axfr
What is AXFR? AXFR lets a secondary nameserver request the complete zone file from the primary.
If open to the public, anyone can download your entire DNS zone — every subdomain, internal hostname, and
record. A goldmine for attackers. AXFR should always be restricted to known secondary NS IPs.
curl "https://api.softricks.net/idig/zone/axfr?d=example.com&token=TOKEN"TTL Advisory GET /ttl/check
What is TTL? Time To Live tells resolvers how long to cache a record. High TTLs (86400 = 1 day)
reduce query load but slow down changes. Low TTLs (60 = 1 min) allow fast changes but increase latency. A records
for HA services should be ~300s; NS/SOA can be 3600–86400s. Lower TTLs at least 24h before a migration.
curl "https://api.softricks.net/idig/ttl/check?d=example.com&token=TOKEN"Subdomain Discovery GET /subdomains
Why subdomain discovery matters: Subdomains reveal forgotten infrastructure — old staging
servers, unpatched admin panels, exposed internal tools. Two techniques: (1) Wordlist brute-force
tries common names like
mail, vpn, staging. (2) Certificate
Transparency logs are public records of every TLS certificate issued. Since certs list covered domains,
CT logs reveal subdomains no wordlist would guess. crt.sh is the most widely used CT search engine.
curl "https://api.softricks.net/idig/subdomains?d=example.com&token=TOKEN"Results include source attribution: "wordlist", "crt.sh", or "both".
Resolution Health GET /resolve/check
What can go wrong? DNS resolution can fail in several ways: NXDOMAIN = domain
doesn't exist. SERVFAIL = nameserver error (often DNSSEC). NODATA = domain
exists but no records of requested type. Timeout = nameservers unreachable. Each mode has
different causes and fixes.
curl "https://api.softricks.net/idig/resolve/check?d=example.com&token=TOKEN"All-in-One Diagnostic GET /diagnose
When to use this: The
/diagnose endpoint is the best starting point when you're
unsure what's wrong. It runs resolution checks and DNSSEC validation, synthesizing results into three yes/no
questions. This is the endpoint AI agents should call first.
Answers three questions:
- Are there resolution errors?
- Is DNSSEC validated?
- What should be fixed?
curl "https://api.softricks.net/idig/diagnose?d=example.com&token=TOKEN"Batch Mode POST /batch
Batch architecture: Jobs are processed asynchronously via SQS and a separate Lambda worker. The
API validates your plan, deducts quota upfront (domains × checks), creates a DynamoDB job, and pushes to
SQS. The worker runs all checks in parallel with asyncio and writes results back. Poll with the job ID until
complete.
Run multiple checks across multiple domains. Requires Pro plan or higher.
curl -X POST "https://api.softricks.net/idig/batch?token=TOKEN" \
-H "Content-Type: application/json" \
-d '{
"domains": ["example.com", "example.org"],
"checks": ["dns", "ssl", "mx", "email"]
}'All 19 checks: dns ssl mx email
geo ttl whois blacklist http
subdomains dane dnssec_validate dnssec_health
zone_consistency axfr propagation domain_status
resolve diagnose
Poll Results GET /batch/{job_id}
curl "https://api.softricks.net/idig/batch/JOB_ID?token=TOKEN"Quota cost: 1 request per domain × check (deducted at submission).
Error Handling
| Status | Meaning |
|---|---|
400 |
Bad request (invalid domain, too many batch domains, etc.) |
403 |
Invalid or missing token |
429 |
Rate limit or monthly quota exceeded |
500 |
Server error (missing dependency, unexpected failure) |
503 |
Token store temporarily unavailable |
Tips for AI Agents
- Read
/openapi.jsonto discover all endpoints and parameters. - Use
/diagnoseas a first pass — covers resolution + DNSSEC in one call. - Use
/batchfor bulk analysis across multiple domains. - Check
/email/securityfor a complete email authentication profile. - The
rr=allparameter on/returns every DNS record type in one request. - BIMI recommendations only appear when SPF/DKIM/DMARC are already solid.
Architecture
| Component | Technology |
|---|---|
| Runtime | AWS Lambda (Python 3.11, ARM64) |
| Gateway | API Gateway HTTP API |
| DNS Tools | dig, delv, Unbound (local recursive resolver) |
| WHOIS/RDAP | RDAP primary (22 TLD bootstrap), whois fallback |
| Certificate Transparency | crt.sh JSON API |
| Batch Processing | SQS + DynamoDB for async job management |
| Token Store | DynamoDB with TTL-based auto-cleanup |
© Softricks — Swagger UI · OpenAPI Spec