# SecurityTrails MCP

> SecurityTrails MCP connects deep domain and IP intelligence into your AI agent. Instantly map an organization's entire digital footprint by accessing historical DNS records, enumerating hidden subdomains, checking WHOIS ownership changes, and running advanced threat queries against the world's largest database of network data.

## Overview
- **Category:** security-compliance
- **Price:** Free
- **Tags:** osint, dns-history, subdomain-enumeration, whois, bug-bounty, threat-intelligence

## Description

You can use this MCP to treat any target domain like a live intelligence feed. Instead of spending hours clicking through separate databases for IP history, you ask your agent to find connections between domains, IPs, and people. It pulls together historical DNS records—the kind that show where an organization was five years ago but has since abandoned. You can expand the scope of any investigation by finding other domains associated with a primary target or look up every domain hosted on a specific IP address. These capabilities let you track infrastructure migration, unmask forgotten assets, and identify potential brand squatters before they cause trouble. Connecting this MCP through Vinkius allows your agent to perform these complex OSINT tasks without needing specialized terminal commands. You simply ask the question, and it gives you the historical data required for bug bounty hunting or threat intelligence.

## Tools

### get_api_usage
Checks how much of your SecurityTrails API quota you've used for the day.

### get_domain_tags
Provides classification tags that categorize the purpose and type of a specific domain.

### get_dns_history
Retrieves historical DNS records for a domain, useful for seeing old IPs or tracking infrastructure moves.

### get_subdomains
Discovers all subdomains for a given domain, regardless of whether they are currently active or inactive.

### get_whois
Gets the current registration and ownership information (WHOIS) for any specified domain.

### search_dsl
Runs highly advanced, targeted queries across the entire internet using the full SecurityTrails Domain Specific Language syntax.

### get_domains_by_ip
Lists all domains that have been pointed to a single IP address, identifying shared hosting environments.

### get_domain_details
Gathers complete current domain intelligence, including DNS records and core structural data for mapping.

### get_associated_domains
Finds other domains that are strongly linked to a primary target domain, expanding your investigation scope.

### get_whois_history
Retrieves historical WHOIS records for a domain, useful for tracking owners before privacy protection was used.

## Prompt Examples

**Prompt:** 
```
Find all subdomains for tesla.com.
```

**Response:** 
```
I've queried SecurityTrails and found 482 subdomains for tesla.com, including: autodiscover.tesla.com, sso.tesla.com, ir.tesla.com, shop.tesla.com, and energy.tesla.com.
```

**Prompt:** 
```
Check the historical 'A' records for example.com. Were there any changes in 2021?
```

**Response:** 
```
Looking at the DNS history for example.com, the A record currently points to 93.184.216.34. However, back in 2021, the domain pointed to 93.184.216.119 before migrating infrastructure in late 2022.
```

**Prompt:** 
```
What domains are hosted on the IP 8.8.8.8?
```

**Response:** 
```
I performed a reverse IP lookup on 8.8.8.8 (Google Public DNS). As expected for a public resolver, there are millions of historical records pointing here, but currently, domains like dns.google and google-public-dns-a.google.com resolve directly to this IP address.
```

## Capabilities

### Map Asset Footprint
Automatically discovers all active and inactive subdomains linked to a target domain.

### Trace Historical Records
Retrieves past DNS records (A, MX, NS, TXT) to map out how an organization's infrastructure has changed over time.

### Identify Shared Infrastructure
Finds all domains that share the same IP address, helping locate hidden virtual hosts or related assets.

### Determine Ownership Changes
Accesses current and historical WHOIS data to track domain ownership changes and identify potential malicious actors.

### Execute Advanced Queries
Uses a specific Domain Specific Language (DSL) to query the entire internet for niche tech stacks or vulnerable infrastructure patterns.

## Use Cases

### Finding old forgotten systems after a company merger
A threat analyst needs to know if the merged company retained any legacy infrastructure. They query `get_dns_history` for the original domain, and the MCP reveals A records pointing to an IP address that hasn't been active in years, flagging it as a potential data leak source.

### Mapping out a competitor’s entire web presence
A bug bounty hunter starts with one domain. They immediately run `get_subdomains` and then `get_associated_domains`. The agent returns hundreds of subdomains, allowing them to test the full breadth of the competitor's digital assets.

### Investigating a suspicious IP for related criminal activity
A researcher gets an unknown IP. They use `get_domains_by_ip` and find four unrelated domains all pointing to it. This suggests shared hosting, allowing them to focus their investigation on the likely primary owner.

### Tracing a domain back through multiple hands
A brand protection team suspects typosquatting. They use `get_whois` and then `get_whois_history` to trace ownership changes, determining when the malicious actor first registered the related domain.

## Benefits

- Discover hidden assets: Instead of just checking the main site, use `get_subdomains` to map every associated subdomain and find overlooked attack vectors.
- Track infrastructure changes: Use `get_dns_history` to see where a domain pointed five years ago. This reveals abandoned services or legacy systems that are still vulnerable.
- Scope expansion: When you find one target, use `get_associated_domains` to automatically pull in every related corporate site without manual research.
- Identify shared risks: Run `get_domains_by_ip` on a suspicious IP address. This shows every other domain that shares it, flagging potential cross-site compromises.
- Deep intelligence gathering: Use the advanced `search_dsl` tool to query for specific tech stacks (e.g., 'all domains using Nginx and hosted in Germany').
- Ownership tracking: The combination of `get_whois` and `get_whois_history` allows you to build a timeline of who controlled a domain over decades.

## How It Works

The bottom line is that you get deep, actionable domain intelligence without ever leaving your primary chat interface.

1. Subscribe to this MCP and sign up at SecurityTrails to get your API key.
2. Connect your agent by providing the necessary credentials via Vinkius. Your AI client handles all authentication.
3. Ask your agent a specific question, like 'What historical records point to example.com?' The MCP executes the query and returns structured data.

## Frequently Asked Questions

**What is the difference between `get_subdomains` and `get_associated_domains` using SecurityTrails MCP?**
`get_subdomains` finds all variations attached to a single domain (like 'staging.example.com'). `get_associated_domains`, however, finds entirely separate domains that are strongly linked to the primary target company.

**Can I use SecurityTrails MCP to find out who owned a domain in 2015?**
Yes. You must use `get_whois_history` or `get_dns_history`. These tools retrieve historical records, bypassing modern privacy protections that hide old ownership data.

**Does SecurityTrails MCP only work for major corporate websites?**
No. It handles anything from large corporations to small personal sites, allowing you to run advanced searches using the `search_dsl` tool on any domain or IP range.

**How do I check if a domain is part of a larger network?**
Run `get_domains_by_ip`. This tool lists every known domain that shares an IP address, which is critical for identifying shared hosting or hidden virtual machines.

**Is SecurityTrails MCP better than standard DNS lookup tools?**
Yes. Standard lookups only give you the current record. This MCP provides historical depth and cross-referencing capabilities that connect ownership, IP usage, and domain names over time.

**Is the SecurityTrails API free to use?**
SecurityTrails offers a Free Tier API plan which allows 50 API requests per month. This is excellent for specific, targeted OSINT investigations. For automated or large-scale recon, you would need a commercial subscription.

**What is historical DNS good for?**
Companies often migrate infrastructure and hide behind WAFs like Cloudflare. Historical DNS reveals the original origin IP addresses used before the WAF was implemented, which might still be active and vulnerable to direct attacks. It's a critical tool in penetration testing.

**How can I find related domains for a target company?**
Use the `get_associated_domains` tool. It uses proprietary correlation to find other domains owned by the same entity. You can also use `get_domains_by_ip` to find what else is hosted on their IP space.