Prevent false positive malware alerts for web crawlers and scanners
Sinkholed domains were previously part of malware infrastructure (botnets, command & control servers, etc.) that have been taken over by security researchers. When your crawler/scanner visits these domains, it may trigger false positive malware infection alerts from services like Shadowserver.
Add these domains and IPs to your blocklist to prevent your servers from being flagged.
Complete list of sinkholed domains. Block these in your crawler to avoid visiting malware infrastructure.
Download domains.txtKnown sinkhole IP addresses. Block outbound connections to these IPs at the firewall level.
Download ips.txtSinkhole nameserver patterns. Check WHOIS records for these to identify sinkholed domains.
Download nameservers.txtDistribution of sinkholed domains by TLD:
All endpoints return JSON unless otherwise noted.
/api/stats
Statistics and TLD breakdown
/api/domains
All domains (JSON). Supports ?limit=100&offset=0&tld=in
/api/domains/txt
All domains (plain text, one per line)
/api/ips
Sinkhole IP addresses
/api/nameservers
Sinkhole nameserver patterns
Block sinkholed domains in your crawler:
# Download and use with your crawler
curl -s https://sinkhole.dom.to/api/domains/txt > sinkhole-blocklist.txt
# In your crawler config, skip domains in this list
# Or block the IPs at the firewall level:
curl -s https://sinkhole.dom.to/api/ips | jq -r '.ips[]' | while read ip; do
iptables -A OUTPUT -d "$ip" -j DROP
done