SecurityTrails, WhoisXML API, DomainTools, Shodan, and DomScan all answer questions about domains or the infrastructure behind them. They do not answer the same questions in the same way. A useful comparison has to separate registration data, current DNS, historical observations, exposed services, risk signals, and monitoring instead of folding all of them into one score.
This review is based on first-party product pages, API documentation, pricing pages, and DomScan's production OpenAPI contract checked on July 10, 2026. Vendor-published database sizes are identified as vendor figures. This is not an independent latency, accuracy, or coverage benchmark, and DomScan publishes the article. Those limits matter because a provider can document an endpoint without proving that it returns the best result for your domains.
How the providers differ
The shortest honest summary is that each product has a different center of gravity. SecurityTrails exposes domain, DNS, WHOIS, IP, and company data. WhoisXML API sells a large catalog of lookup APIs, research tools, and downloadable datasets. DomainTools builds investigation and enrichment products around registration, DNS, SSL, risk, and infrastructure relationships. Shodan indexes internet-facing services and also exposes DNS domain data. DomScan groups many smaller domain checks behind one credit system and API contract.
SecurityTrails
The SecurityTrails API overview describes read-only JSON APIs for IP, DNS, WHOIS, and company information. Its official examples include current domain search, current WHOIS search, IP statistics, and historical DNS queries. That makes SecurityTrails relevant when the job involves relationships between domains and infrastructure or changes in DNS records over time.
SecurityTrails documents monthly quotas for every API subscription level, per-account request throttles, HTTP 429 after quota exhaustion, and optional auto-billing. Its public documentation does not support the old claim that a particular plan starts at a fixed dollar amount. Buyers should get the current allowance and price from the vendor, then test the specific current and historical endpoints they need.
WhoisXML API
WhoisXML API is a catalog rather than one uniform API. Its products include current WHOIS, WHOIS history, reverse WHOIS, DNS history, subdomain lookup, IP and threat data, research tools, and database downloads. The company's WHOIS overview says it queries both WHOIS and RDAP, updates WHOIS information daily, and serves XML or JSON. It also reports 28.7 billion historical WHOIS records and coverage across 7,596 or more TLDs, ccTLDs, and second-level suffixes. Those are vendor-published figures, not measurements made for this article.
The product split affects integration and billing. The WHOIS API pricing page lists query packages, while the Domain Research Suite uses DRS credits for some products. On the pages checked for this review, one Subdomains Lookup API request cost 10 DRS credits and one WHOIS History API request cost 50 DRS credits. A credit therefore does not represent one interchangeable lookup across the catalog. Estimate each endpoint separately.
DomainTools
DomainTools is aimed at investigation, enrichment, and monitoring. Iris Investigate combines domain registration data, DNS, SSL, infrastructure links, and Domain Risk Score in a pivoting interface. Its corresponding API returns dozens of attributes and supports searches across identity, IP, nameserver, mail server, SSL certificate, and related fields. The broader technical documentation also covers current WHOIS and RDAP, WHOIS history, passive DNS through Farsight DNSDB, threat feeds, and monitor APIs.
That scope is a better reason to consider DomainTools than the old claim that its API is secondary to the user interface. The product site points buyers to enterprise membership packages, pricing contacts, and a demo rather than publishing the five-figure annual price previously asserted here. Without a written quote, an exact DomainTools budget would be speculation.
Shodan
Shodan starts with hosts and services exposed to the internet. Its REST API searches collected service banners, returns information for an IP, manages monitored assets, and can request on-demand scans when the plan includes scan credits. The optional history flag on a host lookup can return historical banners. A separate streaming API publishes data as Shodan collects it, but Shodan limits that feed by subscription.
It would also be wrong to say Shodan has no meaningful domain or subdomain function. The documented `GET /dns/domain/{domain}` endpoint returns subdomains and DNS entries, accepts A, AAAA, CNAME, NS, SOA, MX, and TXT filters, and can include historical DNS data. It is still not equivalent to a domain-registration research platform. Choose Shodan when exposed ports, products, banners, vulnerabilities, or service history are part of the question, then verify whether its DNS endpoint covers the domain context you need.
DomScan
DomScan's production OpenAPI file exposed 112 paths and 118 operations when checked for this article. They cover availability, DNS, WHOIS and RDAP, certificates, email authentication, reputation, subdomain evidence, website technology, IP context, monitoring, and supporting operations. The count includes focused, bulk, history, and management paths. It should not be read as proof that DomScan has deeper data than a provider with fewer endpoints.
DomScan does not run every request against a fresh upstream source. DNS uses Cloudflare DNS-over-HTTPS. WHOIS can use RDAP and traditional WHOIS fallbacks and can return cached data. Subdomain discovery uses a sequential passive-source pipeline, supports cache-only polling, and reports whether a response is live, fresh cache, or stale cache. The subdomain endpoint does not brute-force names or crawl the target site, so its hostname evidence is best-effort and incomplete.
History is another clear boundary. DomScan's WHOIS history is an observation log built from qualifying fresh RDAP-backed lookups, not a global archive of past registrant records. DNS history is also lookup-driven and can miss changes between observations. The product changelog documents the rollout of these observation paths and broader caching. These endpoints can help a customer track what DomScan previously saw, but they are not substitutes for a long-running commercial WHOIS archive or passive DNS database.
Capability comparison
A feature checkbox hides too much. The useful questions are where the data came from, whether the endpoint returns current state or observations, what history means, and how the provider handles missing or redacted fields.
Registration and DNS data
- Current registration data: SecurityTrails, WhoisXML API, DomainTools, and DomScan document domain registration or WHOIS and RDAP capabilities. Shodan's documented REST API focuses on host and DNS information rather than an equivalent domain registrant lookup.
- Historical registration data: WhoisXML API and DomainTools sell established historical WHOIS products. SecurityTrails documents WHOIS and historical DNS data. DomScan's WHOIS history contains only qualifying observations made through its own lookup flow.
- Current DNS: all five products expose some DNS data, but the source and response differ. DomScan queries Cloudflare DNS-over-HTTPS. Shodan returns DNS records from its collected domain data. The other three expose current records from their data platforms.
- Historical DNS: SecurityTrails, WhoisXML API, DomainTools DNSDB, and Shodan document historical DNS capabilities. DomScan's beta DNS history records selected results from customer-triggered lookups and does not consume an internet-wide passive DNS feed.
- Subdomains: all five have a way to return subdomain or hostname data. None of those endpoints should be treated as an exhaustive inventory without a benchmark against domains you control.
Security and infrastructure context
- Exposed services: Shodan documents host banner search, optional banner history, monitored assets, and on-demand scanning. This is a different dataset from WHOIS or passive hostname evidence.
- Investigation and risk: DomainTools documents Iris pivots, Domain Risk Score, threat feeds, and integrations. WhoisXML API has separate threat intelligence products. SecurityTrails exposes infrastructure relationships that can feed security workflows.
- Email authentication: DomScan has a dedicated endpoint for DMARC, SPF, DKIM, MTA-STS, TLS-RPT, and recursive SPF lookup behavior. This comparison did not find an equivalent single endpoint in the official API references reviewed for the other four providers.
- Website technology: DomScan documents a technology endpoint for CMS, frameworks, analytics, and CDN signals. Shodan can expose software and HTTP banner details for observed services, which is related but not the same response model.
- Certificates: DomainTools Iris includes SSL attributes, Shodan stores SSL details in service banners, WhoisXML API offers SSL products, and DomScan has certificate and deeper TLS operations. Check whether a response is a handshake, collected observation, database record, or cached scan.
Pricing without made-up ranges
The previous version of this article converted unlike products into monthly dollar bands and assigned DomainTools a starting annual price without a current quote. That looked convenient and was not defensible. Pricing should be compared through the unit each vendor actually sells: queries, product credits, monthly quotas, monitored assets, scan credits, seats, data feeds, or an enterprise contract.
What the public pricing pages show
- SecurityTrails: the API documentation says every subscription level has a monthly quota, accounts have per-second rate limits, quota exhaustion returns HTTP 429, and auto-billing can add capacity. Confirm the current plan price and included endpoints with SecurityTrails.
- WhoisXML API: pricing is product-specific. Current WHOIS uses query packages, while several research APIs use DRS credits. On July 10, 2026, the public pages listed 10 DRS credits for a Subdomains Lookup API request and 50 DRS credits for a WHOIS History API request.
- DomainTools: the product site advertises enterprise membership packages, a pricing contact, and a requested demo. This review found no public amount that supports a reliable annual starting price for Iris Investigate.
- Shodan: credits depend on the plan. The API guide says one domain page uses one query credit, one IP scan uses one scan credit, and credits reset monthly. Checkout requires sign-in, so old membership prices are not current API quotes.
- DomScan: the public pricing documentation lists 10,000 free credits per month and packs starting at EUR 9 for 50,000 credits. It also publishes the cost of each endpoint. On the date reviewed, DNS cost 1 credit, WHOIS cost 2, and subdomain discovery cost 3.
Even published units need context. A Shodan query credit can cover a page of domain information or a block of search results, while a WhoisXML API DRS credit has different purchasing power across products. DomScan bulk operations use the same per-item credit cost as individual calls. Build a spreadsheet from your actual endpoint mix rather than multiplying one headline rate by total requests.
Freshness is not one setting
Calling one provider real-time and another cached is usually too crude. A single response can combine current upstream data, a recursive DNS cache, a vendor database, a previous scan, and locally cached enrichment. Historical products must store observations by definition. Current lookup products may still cache data to control latency, upstream rate limits, and repeated work.
Live, cached, and observed data
- Ask for source metadata. A result marked current is more useful when it also identifies RDAP, WHOIS, a recursive DNS resolver, passive DNS, a scan timestamp, or a cache hit.
- Read the field timestamps. A response generated now can contain a certificate, banner, WHOIS record, or DNS observation collected earlier.
- Check cache controls and bypass options. DomScan has endpoint-specific caching and does not promise that every response is live. SecurityTrails recommends customer-side caching and documents quotas that affect repeated requests.
- Define history before comparing it. DomainTools and WhoisXML API sell historical datasets collected over years. DomScan's WHOIS and DNS history describe observations created through DomScan lookups. Shodan's host and DNS history come from Shodan's own collection.
- Expect privacy and source gaps. Registration data can be redacted, registries vary, passive sources miss assets, and an internet scan may not observe a service that was offline or filtered.
Accuracy means testing outputs
RFC 1035 defines the core DNS message and classic record behavior. RDAP improves registration-data structure, but it does not remove source differences. RFC 9082 defines RDAP queries, RFC 9083 defines JSON responses, and RFC 9224 describes how a client finds the authoritative service. Providers still have to select sources, normalize statuses and dates, handle redaction, and decide when to fall back to traditional WHOIS.
The same caution applies to DNS and subdomains. A recursive resolver may serve a valid cached answer according to TTL. A passive database may know an old hostname that no longer resolves. An optional DNS verification step can confirm that a returned A or CNAME resolves now, but it cannot prove that the discovery set contains every hostname. Accuracy is field-specific, not a single percentage for the provider.
Choosing by workload
- For domain and infrastructure pivots, compare SecurityTrails and DomainTools against the searches your analysts already perform. DomainTools also provides risk and investigation workflows; SecurityTrails exposes domain, DNS, WHOIS, IP, and company data through read-only APIs.
- For historical WHOIS or product-specific downloadable data, evaluate WhoisXML API and DomainTools. Compare privacy filtering, dates, export rights, update cadence, and the query cost of the exact historical product.
- For exposed services, banners, monitored IPs, or on-demand network scans, evaluate Shodan. Its DNS domain endpoint can add context, but it does not turn Shodan into a replacement for every registration-data workflow.
- For a broad set of smaller domain checks under one published credit table, evaluate DomScan. Account for its limited lookup-driven history, endpoint-specific caches, best-effort subdomain coverage, and reliance on upstream services.
- For workloads spanning historical ownership, current DNS, and exposed services, two providers may be appropriate. Choose that architecture only after confirming that the second source adds data you cannot obtain from the first.
A practical evaluation
- Build a sample that includes domains you control, recently changed DNS, privacy-redacted registration records, IDNs, ccTLDs, CDN-fronted sites, and inactive hosts.
- Record each returned field, source label, observation timestamp, cache state, HTTP status, and missing value. Do not collapse the result into a single pass or fail score.
- Exercise pagination, rate limits, quota exhaustion, timeouts, invalid domains, and partial upstream failures before the integration reaches production.
- Price the exact calls in the test. Include historical queries, pages of results, scans, monitored assets, seats, exports, and overage behavior where they apply.
- Repeat the sample later. One run can show parsing and field coverage, but it cannot establish how quickly a provider notices a change.
There is no defensible universal winner in this group. The products collect different evidence, sell access in different units, and expose different failure modes. A small, repeatable evaluation against your own domains will tell you more than a table full of unsourced checkmarks.
To inspect DomScan on the same terms, start with the production OpenAPI contract and credit table. Test the WHOIS lookup, DNS API, or Subdomain Finder API, and keep the source, cache, and coverage limitations in the result.