dnsbl.io

THREAT INTELLIGENCE / TAXII / STIX FEED

Enterprise-grade threat intelligence sharing via TAXII 2.1 with STIX 2.1 objects. Integrate dnsbl.io signals directly into SIEM, SOAR, TIP, and custom detection pipelines without building bespoke parsers.

WHY TAXII/STIX INTEGRATION

Enterprise Integration

Seamlessly feed Splunk, IBM QRadar, ArcSight, Elastic Security, Sentinel, and other SIEM/SOAR stacks.

Threat Sharing

Join global threat intelligence exchanges and keep indicators synchronized with community collections.

Structured Export

Export IoCs in standardized STIX 2.1 format—addresses, domains, URLs, hashes, and relationships stay linked.

TAXII 2.1 SERVER ENDPOINTS

Discovery Endpoint
Retrieve server metadata and discover API roots

GET /taxii2/

{
  "title": "dnsbl.io TAXII 2.1 Server",
  "description": "Threat intelligence feed for spam, phishing, and malware indicators",
  "contact": "security@dnsbl.io",
  "default": "https://api.dnsbl.io/taxii2/api1/",
  "api_roots": [
    "https://api.dnsbl.io/taxii2/api1/"
  ]
}
API Root Information
Capabilities available inside api1 root

GET /taxii2/api1/

{
  "title": "dnsbl.io Primary Feed",
  "description": "Main threat intelligence collections",
  "versions": ["application/taxii+json;version=2.1"],
  "max_content_length": 10485760
}
Collections List
Enumerate available threat intelligence collections

GET /taxii2/api1/collections/

{
  "collections": [
    {
      "id": "spam-sources",
      "title": "Spam Source IPs",
      "description": "IPv4 and IPv6 addresses identified as spam sources",
      "can_read": true,
      "can_write": false,
      "media_types": ["application/stix+json;version=2.1"]
    },
    {
      "id": "phishing-domains",
      "title": "Phishing Domains",
      "description": "Domains and URLs used for phishing attacks",
      "can_read": true,
      "can_write": false,
      "media_types": ["application/stix+json;version=2.1"]
    },
    {
      "id": "malware-indicators",
      "title": "Malware Indicators",
      "description": "File hashes, C2 servers, and malware infrastructure",
      "can_read": true,
      "can_write": false,
      "media_types": ["application/stix+json;version=2.1"]
    },
    {
      "id": "compromised-hosts",
      "title": "Compromised Hosts",
      "description": "Compromised mail relays and open proxies",
      "can_read": true,
      "can_write": false,
      "media_types": ["application/stix+json;version=2.1"]
    }
  ]
}
Collection Objects
Retrieve STIX objects with query filters

GET /taxii2/api1/collections/spam-sources/objects/

Query parameters

  • added_after — ISO-8601 filter by creation date
  • limit — Maximum objects returned (default 100)
  • match[type] — Filter by STIX object type
{
  "more": false,
  "objects": [
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "created": "2025-01-15T10:30:00.000Z",
      "modified": "2025-01-15T10:30:00.000Z",
      "name": "Spam source IP",
      "description": "IP address identified as spam source by multiple reporters",
      "pattern": "[ipv6-addr:value = '2001:db8::bad:actor']",
      "pattern_type": "stix",
      "valid_from": "2025-01-15T10:30:00.000Z",
      "labels": ["malicious-activity", "spam"],
      "confidence": 85
    },
    {
      "type": "ipv6-addr",
      "spec_version": "2.1",
      "id": "ipv6-addr--550e8400-e29b-41d4-a716-446655440000",
      "value": "2001:db8::bad:actor"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "created": "2025-01-15T10:30:00.000Z",
      "modified": "2025-01-15T10:30:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "target_ref": "ipv6-addr--550e8400-e29b-41d4-a716-446655440000"
    }
  ]
}

STIX 2.1 OBJECT TYPES

Indicator Objects
{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--uuid",
  "created": "2025-01-15T10:30:00.000Z",
  "modified": "2025-01-15T10:30:00.000Z",
  "name": "Phishing domain",
  "pattern": "[domain-name:value = 'evil.example']",
  "pattern_type": "stix",
  "valid_from": "2025-01-15T10:30:00.000Z",
  "labels": ["phishing"],
  "confidence": 90
}
Observable Objects
// IPv4 Address
{
  "type": "ipv4-addr",
  "spec_version": "2.1",
  "id": "ipv4-addr--uuid",
  "value": "192.0.2.100"
}

// Domain Name
{
  "type": "domain-name",
  "spec_version": "2.1",
  "id": "domain-name--uuid",
  "value": "evil.example"
}

// URL
{
  "type": "url",
  "spec_version": "2.1",
  "id": "url--uuid",
  "value": "https://evil.example/phish"
}

INTEGRATION PLAYBOOKS

MISP
Import dnsbl.io feeds into Malware Information Sharing Platform
# Administration → Feeds → Add Feed
Name: dnsbl.io TAXII Feed
Provider: dnsbl.io
Input Source: Network (TAXII)
URL: https://api.dnsbl.io/taxii2/api1/
TAXII Version: 2.1
Collection: spam-sources
Authentication: API Key
API Key: YOUR_API_KEY

# Enable and fetch
Enabled: Yes
Caching: Yes
Distribution: Your Organisation Only
OpenCTI
Connect dnsbl.io TAXII server to OpenCTI connectors
# Data → Connectors → Add Connector → TAXII 2.1
Name: dnsbl.io Feed
Discovery URL: https://api.dnsbl.io/taxii2/
API Root: https://api.dnsbl.io/taxii2/api1/
Collections: spam-sources, phishing-domains, malware-indicators
Authentication: Bearer Token
Token: YOUR_API_KEY
Interval: 3600 (1 hour)
Create Indicators: Yes
Create Observables: Yes
Python (cabby)
Automate ingestion using cabby + stix2 clients

Installation

pip install cabby stix2
from cabby import create_client
from datetime import datetime, timedelta

client = create_client(
    "https://api.dnsbl.io/taxii2/",
    version="2.1",
    headers={"Authorization": "Bearer YOUR_API_KEY"}
)

collections = client.get_collections("api1")
for collection in collections:
    print(collection.title, collection.id)

added_after = datetime.now() - timedelta(days=7)
objects = client.get_objects("api1", "spam-sources", added_after=added_after)

for obj in objects["objects"]:
    if obj["type"] == "indicator":
        print(obj["name"], obj.get("confidence", "N/A"))
Splunk ES
Use Enterprise Security Threat Intelligence framework
# Configure → Data Enrichment → Threat Intelligence Downloads
Name: dnsbl.io TAXII Feed
Type: TAXII
URL: https://api.dnsbl.io/taxii2/api1/
Collection: spam-sources
Authentication: API Key
API Key: YOUR_API_KEY
Poll Interval: 3600 seconds
Weight: 5

# Example lookup usage
| inputlookup dnsbl_indicators
| eval threat_key=coalesce(src_ip, dest_ip, domain, url)
| lookup threat_intel threat_key OUTPUT threat_category, confidence, description

AUTHENTICATION & ACCESS CONTROL

API Keys

All endpoints require a Bearer token. Replace YOUR_API_KEY with credentials issued via the dnsbl.io console.

Authorization: Bearer YOUR_API_KEY

Free Tier Limits

  • • Read-only access to every TAXII collection
  • • 100,000 STIX objects per day
  • • Real-time push within minutes of report ingestion
  • • Full TAXII 2.1 + STIX 2.1 compliance

Higher quotas and write access for enterprise submissions are available on request—reach out to the trust & safety team for onboarding.

SUPPORTED PLATFORMS

Threat Intel Platforms

  • • MISP (Malware Information Sharing Platform)
  • • OpenCTI (Open Cyber Threat Intelligence)
  • • ThreatConnect
  • • EclecticIQ Platform
  • • Anomali ThreatStream

SIEM / SOAR

  • • Splunk Enterprise Security
  • • IBM QRadar
  • • ArcSight ESM
  • • Elastic Security
  • • Microsoft Sentinel