Authentication
Pass your API key in the X-Api-Key request header on every request.
curl https://api.kubetools.net/dns \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"domain":"example.com","recordType":"A"}'Kubetools API key
API keys are available on your account page. Keep your key secret — do not expose it in client-side code.
401 Unauthorized. Requests from a Free plan account return 403 Forbidden.Errors
All errors return a consistent JSON envelope:
{
"error": "missing_domain",
"message": "domain is required"
}| Status | Meaning |
|---|---|
400 | Bad request — missing or invalid parameters |
401 | No API key provided |
403 | Valid key but plan does not allow API access |
429 | Rate limit exceeded |
500 | Internal server error |
Rate limits
Pro plan API keys are limited to 1000 requests per day. The current limit is returned in response headers:
X-RateLimit-Limit: 1000 X-RateLimit-Remaining: 987 X-RateLimit-Reset: 1718000000
IP Lookup
Resolves an IP address or domain name to its geographic location and reverse DNS (PTR) record. Pass either a raw IP address (e.g. `93.184.216.34`) or a domain name — if a domain is provided, it is resolved to an IP first. The response includes country, region, city, postal code, timezone, and coordinates, along with the PTR record from a reverse DNS lookup.
/ip_lookup IPLookupParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
address | string | Yes | IP address or domain name to query |
curl https://api.kubetools.net/ip_lookup \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"address":"example.com"}'{
"PTR": "example.com",
"countryCode": "US",
"countryName": "United States",
"regionName": "California",
"cityName": "San Francisco",
"latitude": 37.7749,
"longitude": -122.4194,
"zipCode": "94103",
"timeZone": "America/Los_Angeles"
}DNS Lookup
Queries a DNS resolver for records associated with the given domain name. Specify the record type to query (e.g. `A`, `MX`, `TXT`) and optionally a custom resolver via `server` (host:port). If no resolver is provided, the system default is used. The response includes metadata about the query (resolver used, query time, DNSSEC status, AA/TC flags) alongside the matching DNS records for the requested type.
/dns DNSLookupParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
domain | string | Yes | The domain name to query |
recordType | "A", "AAAA", "CAA", "CNAME", "MX", "NS", "PTR", "SOA", "SRV", "TXT" | Yes | DNS record type to query |
server | string | No | The DNS resolver to use (host:port). Defaults to system resolver if omitted. |
curl https://api.kubetools.net/dns \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"domain":"example.com","recordType":"MX","server":"8.8.8.8:53"}'{
"domain": "example.com",
"recordType": "A",
"server": "8.8.8.8:53",
"queryTime": "12ms",
"timestamp": "",
"authoritative": false,
"truncated": false,
"dnssec": false
}DNS Lookup All
Queries every supported DNS record type (A, AAAA, MX, NS, TXT, CNAME, SOA, CAA, PTR, SRV) for the given domain in a single request. Record types that return no results are omitted from the response. Use this endpoint when you need a full picture of a domain's DNS configuration without issuing one request per record type.
/dns/all DNSLookupAllParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
domain | string | Yes | The domain name to query |
server | string | No | The DNS resolver to use (host:port). Defaults to system resolver if omitted. |
curl https://api.kubetools.net/dns/all \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"domain":"example.com","server":"8.8.8.8:53"}'{
"domain": "example.com",
"server": "8.8.8.8:53",
"results": [
{
"domain": "example.com",
"recordType": "A",
"server": "8.8.8.8:53",
"queryTime": "12ms",
"timestamp": "",
"authoritative": false,
"truncated": false,
"dnssec": false
}
]
}DNS Propagation
Queries a set of DNS resolvers and returns the raw DNS record each resolver has for the requested domain and record type. No interpretation is applied — propagation analysis is left to the client.
/dns/propagation checkDNSPropagationParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
domain | string | Yes | Fully-qualified domain name to check (e.g. `example.com` or `sub.example.com`). A trailing dot is accepted but not required. |
recordType | "A", "AAAA", "CAA", "CNAME", "MX", "NS", "PTR", "SOA", "SRV", "TXT" | Yes | DNS record type to query |
timeout | string | No | Maximum duration to wait for each resolver to respond, in Go duration format
(e.g. `5s`, `500ms`). Defaults to `5s`. Maximum allowed value is `30s`. Default: 5s |
curl https://api.kubetools.net/dns/propagation \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"domain":"example.com","recordType":"A"}'{
"domain": "example.com",
"recordType": "A",
"results": [
{
"resolver": "8.8.8.8",
"latencyMs": 12,
"queriedAt": "2024-06-01T12:00:00Z"
}
],
"checkedAt": "2024-06-01T12:00:00Z"
}DNS Blacklist
Accepts an IPv4 address or a domain name. Domains are resolved to their first A record before the check is performed. Each loaded DNSBL zone is queried concurrently. Zones marked `domainOnly` in the server configuration are skipped when the input resolves to a bare IP address. DNSBL lookup mechanics: the IP is reversed (`1.2.3.4` → `4.3.2.1`) and prepended to the zone hostname. An A-record response indicates the IP is listed; NXDOMAIN means clean. When listed, the TXT record is also fetched to populate the `reason` field.
/blacklist checkBlacklistParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
address | string | Yes | IPv4 address or domain name to check against DNSBL zones. Domains are resolved to their first A record before lookup. Only IPv4 is supported; IPv6 addresses will result in an error. |
curl https://api.kubetools.net/blacklist \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"address":"1.2.3.4"}'{
"input": "example.com",
"ip": "93.184.216.34",
"reversedIP": "34.216.184.93",
"timestamp": "2025-03-24T12:00:00Z",
"results": [
{
"zone": "zen.spamhaus.org",
"name": "Spamhaus ZEN",
"category": "spam",
"website": "https://www.spamhaus.org",
"listed": false,
"queryTime": "14ms"
}
],
"summary": {
"total": 10,
"listed": 1,
"clean": 8,
"errors": 1
}
}WHOIS
Queries a WHOIS server for registration data associated with the given domain name. Optionally specify a WHOIS server to query directly via `server`. If omitted, the appropriate TLD server is used automatically. If the TLD server returns a registrar referral, that referral is followed and recorded in the `referral` field of the response. The response includes registrar details, key dates (registration, expiry, last update), nameservers, EPP status codes, DNSSEC status, and contact information for the registrant, admin, and tech roles. Contact fields may be absent or marked `redacted` where privacy protection (e.g. GDPR) applies. The raw WHOIS response text is also returned for cases where parsed fields are incomplete.
/whois whoisLookupParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
domain | string | Yes | The domain name to query |
server | string | No | The WHOIS server to query (TCP port 43). Defaults to TLD server if omitted. |
curl https://api.kubetools.net/whois \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"domain":"example.com","server":"whois.verisign-grs.com"}'{
"domain": "example.com",
"server": "whois.verisign-grs.com",
"queryTime": "42ms",
"timestamp": ""
}Port Scanner
Probes all specified ports on the target host using concurrent TCP dial attempts. `preset` takes precedence over a custom `ports` spec when both are provided. When neither is supplied the scan defaults to the `common` preset. **Port spec syntax** (`ports` field): comma-separated ports and/or ranges, e.g. `'80,443,8080-8090'`. Each range may span at most 1 000 ports; the total scan is capped at 2 000 ports. **Presets:** | preset | ports included | |----------|----------------------------------------------------------------------| | `common` | 21, 22, 23, 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 1433, 1521, 3306, 3389, 5432, 5900, 6379, 8080, 8443, 8888, 9200, 27017 | | `web` | 80, 443, 3000, 4000, 4200, 5000, 5173, 8000, 8080, 8443, 8888, 9000, 9200, 9443 | | `db` | 1433, 1521, 3306, 5432, 5984, 6379, 7474, 8529, 9042, 27017, 27018 | | `mail` | 25, 110, 143, 465, 587, 993, 995, 2525 |
/portscan scanPortsParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
host | string | Yes | Hostname or IP address to scan. Hostnames are resolved to IPv4 preferentially; the resolved IP is returned in the response. |
ports | string | No | Custom port specification. Comma-separated port numbers and/or ranges, e.g. `"80,443,8080-8090"`. Each individual range may span at most 1 000 ports. The total scan is silently capped at 2 000 ports. Ignored when `preset` is any value other than `common` (or omitted). |
preset | "common", "web", "db", "mail" | No | Named port preset. Takes precedence over a custom `ports` value. Defaults to `common` when neither `preset` nor `ports` is provided. | value | ports scanned | |----------|---------------| | `common` | 25 well-known ports (FTP, SSH, HTTP/S, databases, etc.) | | `web` | HTTP/S and common dev-server ports | | `db` | Common database engine ports | | `mail` | SMTP, POP3, IMAP and submission variants | |
concurrency | integer | No | Number of simultaneous TCP dial goroutines. Defaults to 100 when omitted or ≤ 0. Default: 100 |
dialTimeoutMs | integer | No | Per-port TCP connection timeout in milliseconds. Defaults to 2 000 ms (2 s) when omitted or 0. Default: 2000 |
totalTimeoutMs | integer | No | Hard cap on the entire scan duration in milliseconds. Defaults to 60 000 ms (60 s) when omitted or 0. Ports not yet probed when the deadline fires are marked `filtered`. Default: 60000 |
curl https://api.kubetools.net/portscan \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"host":"example.com"}'{
"host": "example.com",
"ports": [
{
"port": 443,
"proto": "tcp",
"state": "open"
}
],
"openCount": 2,
"durationMs": 4321.7
}Latency
Performs `count` sequential HTTP requests to the given URL and returns per-run timings broken down by phase, plus aggregate statistics (min, max, mean, median) across all runs.
/latency checkLatencyParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
url | string | Yes | The URL to check. Must include scheme (http or https). |
count | integer | No | Number of sequential requests to perform. Defaults to 3. Max 20. Default: 3 |
timeoutMs | integer | No | Per-request timeout in milliseconds. Defaults to 10000 (10s). Default: 10000 |
disableRedirects | boolean | No | Whether to disable HTTP redirect following. Defaults to false (redirects are followed). Default: false |
method | "GET", "HEAD", "POST" | No | HTTP method to use. Defaults to GET. Default: GET |
curl https://api.kubetools.net/latency \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url":"https://example.com","count":5,"timeoutMs":10000}'{
"url": "https://example.com",
"resolved_ip": "93.184.216.34",
"runs": [
{
"run": 1,
"timings": {
"dns": 12.4,
"tcp_connect": 18.7,
"tls_handshake": 45.2,
"TTFB": 98.3,
"content_transfer": 8.1,
"total": 182.7
},
"status_code": 200,
"success": false
}
],
"timestamp": ""
}SSL / TLS
Connects to the given host, performs a TLS handshake, and returns the full certificate chain with connection details. Even if the handshake fails (expired cert, untrusted CA), certificate details are returned so the broken chain can be inspected.
/ssl checkSSLParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
host | string | Yes | Hostname or IP address to inspect |
port | integer | No | TCP port to connect to. Defaults to 443 if omitted or 0. |
timeoutMs | integer | No | Full connection + handshake timeout in milliseconds. Defaults to 10000 (10s). |
skipVerify | boolean | No | Skip chain verification but still return cert details. Useful for inspecting self-signed or expired certificates. Default: false |
serverName | string | No | Override the SNI hostname sent during the TLS handshake. Defaults to `host` if omitted. |
curl https://api.kubetools.net/ssl \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"host":"example.com","port":443,"timeout_ms":5000,"skip_verify":false}'{
"host": "example.com",
"port": 443,
"queryTime": "142ms",
"timestamp": "",
"connection": {
"version": "TLS 1.0",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"serverName": "example.com"
},
"chain": [
{
"chainRole": "leaf",
"isCA": false,
"isSelfSigned": false,
"notBefore": "",
"notAfter": "",
"status": "VALID",
"key": {
"type": "RSA"
},
"signatureAlgorithm": "SHA256-RSA",
"serialNumber": "03:48:AC:3E:79:5C:58:E4:53:5B:2B:8D:DC:52:1F:2D",
"fingerprint": {
"sha1": "2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:62:FE:72:86:F9:A7:6A:05:31",
"sha256": "3C:4B:B4:80:43:75:57:5A:49:2D:4E:5A:43:44:2D:55:59:53:B1:9A:E7:44:92:47:88:5A:EB:5B:AA:78:2A:CC"
}
}
],
"chainComplete": false,
"chainValid": false,
"status": "VALID"
}Tech Stack
Fetches the given URL and returns a list of detected technologies. Returns HTTP 502 if the target URL could not be fetched.
/techstack analyzeTechStackParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
url | string | Yes | The URL to analyze. Must start with http:// or https://. If the scheme is omitted, https:// is assumed. |
timeoutMs | integer | No | HTTP fetch timeout in milliseconds. Defaults to 15 000 ms (15 s) when omitted or 0. |
maxBodyBytes | integer | No | Maximum number of response body bytes to read. Defaults to 524 288 (512 KB) when omitted or 0. |
userAgent | string | No | User-Agent header sent with the request. Defaults to a Chrome-like UA when omitted. |
curl https://api.kubetools.net/techstack \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url":"https://example.com"}'{
"url": "https://example.com",
"final_url": "https://www.example.com/",
"status_code": 200,
"tech": [
{
"name": "nginx",
"category": "server",
"confidence": "certain"
}
],
"duration_ms": 312.5
}Email Auth
Queries SPF, DKIM, DMARC, and MX records for the given domain and returns a composite health report. **Domain normalisation**: leading `@`, `http://`, `https://`, and any path component are stripped automatically before the lookup is performed. **DKIM selector**: DKIM is checked at `<selector>._domainkey.<domain>`. Defaults to `'default'` when omitted. Use `dkim_selector` to probe a specific selector (e.g. `'google'`, `'s1'`, `'20230601'`). **Scoring** (0–100 → A–F): | Component | Max pts | |-----------|---------| | SPF | 30 | | DKIM | 25 | | DMARC | 35 | | PTR bonus | +10 | | DNSBL penalty | −10 | Score thresholds: A ≥ 90, B ≥ 75, C ≥ 55, D ≥ 35, F < 35.
/email emailAuthParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
domain | string | Yes | Domain to check (e.g. `example.com`). Leading `@`, `http://`, `https://`, and any URL path component are stripped before lookup. |
dkimSelector | string | No | DKIM selector to probe at `<selector>._domainkey.<domain>`. Defaults to `"default"` when omitted or blank. Default: default |
timeoutMs | integer | No | Per-DNS-lookup timeout in milliseconds. Defaults to 5 000 ms (5 s) when omitted or 0. Default: 5000 |
curl https://api.kubetools.net/email \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"domain":"example.com"}'{
"domain": "example.com",
"SPF": {
"present": true,
"lookupCount": 3,
"grade": "pass"
},
"DKIM": {
"present": true,
"selector": "default",
"revoked": false,
"grade": "pass"
},
"DMARC": {
"present": true,
"pct": 100,
"grade": "pass"
},
"MX": {
"PTRGrade": "pass",
"DNSBLGrade": "pass"
},
"score": 82,
"grade": "B",
"summary": [
"DMARC policy is 'none' — reports are collected but spoofed mail is not blocked"
]
}