The DNS API supports MD5, SHA1, and SHA256 hashes, and is designed for rapid lookups, much in the same way as other remote blackhole list (RBL) lookups are done. Using DNS has the advantage of communicating over UDP and caching answers locally, so there is much less overhead on both the server and client. There are two types of DNS queries you can perform:
The A query will give you a simplified answer. If your hash is considered malware, we will always return 127.0.0.2. If not, no answer will be returned, and the query's status will be set to NXDOMAIN.
The TXT query will give more verbose output, including a scan timestamp and our antivirus package detection rate, if your hash is considered malware in our registry. If it is not, no answer will be returned, and the query's status will be set to NXDOMAIN.
To query with DNS, prepend your hash to the hostname hash.cymru.com
in a DIG command.
The DNS API supports the following hash types:
Note: Due to the limitations of DNS, SHA256 hashes must be split up into two 32-character segments.
dig +short 8a62d103168974fba9c61edab336038c.hash.cymru.com TXT
# "[Unix Epoch] [AV Hit %]"
"1611956489 28"
dig +short 8a62d103168974fba9c61edab336038c.hash.cymru.com A
# positive result found
127.0.0.2
dig +short 9b573bc2555d8d35e4a2e927cc14217e.b112f0725cb4ebff4878976a229fde45.hash.cymru.com A
# positive result found
127.0.0.2
Copyright © 2024 Team Cymru. All Rights Reserved.