Spamhaus Technology and abuse.ch Logo
Solutions
Data
Email & Network
Cyber Threat Intelligence
Resources
About
Back to Previous Page

Blog

MCP for AI Agents

Posted on
July 08, 2026
Author
The Deteqtive Team
Read time
3 mins

Introduction

Introduction

Give your AI agents direct access to passive DNS intelligence. Over the Model Context Protocol (MCP), an agent can investigate domains and IP addresses — for phishing, brand abuse, and malicious infrastructure — and pivot through the results on its own, with no glue code to maintain.

The Passive DNS MCP server is live and hosted — there's nothing to install or run. Point an MCP-capable client at the endpoint, sign in with your Spamhaus account, and your agent can start querying.

The server

Endpointhttps://mcp.deteqtive.com/pdns/
TransportStreamable HTTP
AuthenticationOAuth — Spamhaus single sign-on

Authentication — Spamhaus SSO

Authentication is OAuth, against the same single sign-on you use for the Spamhaus portal. There's no API key to paste: the first time a client connects it opens your browser, you sign in to Spamhaus SSO and approve access, and the client receives a short-lived token that it refreshes automatically. The server validates that token on every request and uses it to authorise your queries.

What your agent can do

The server exposes three tools — the same capabilities behind the UI and the REST API:

ToolWhat it does
dns_rrsetForward lookup — the IPs and values a domain resolves to (every host in a zone)
dns_rdataReverse lookup — the domains that point to an IP, CIDR, or hostname
dns_statusAccount status — your rate limits and credit usage

dns_rrset supports several search modes, so an agent can ask questions like:

  • Enumerate a footprint (right match)"What hosts exist under example.com?"
  • Brand protection (word match)"Find domains containing paypal that aren't ours."
  • Lookalikes & typo-squats (fuzzy match)"Surface homoglyph and typo variants of acme.com."
  • Pivot in reverse"What other domains resolve to 198.51.100.20, or to this CIDR?"

Each answer is a starting point for the next pivot — see Pivoting through DNS for how this plays out in a real investigation.

Set it up

You'll connect a client once; after the browser sign-in it stays authenticated.

Claude Code (CLI)

Add the server with the http transport:

claude mcp add --transport http deteqtive-pdns https://mcp.deteqtive.com/pdns/

This registers the server for the current project directory only. The name (deteqtive-pdns above) is yours to choose.

Then run /mcp inside Claude Code to authenticate — a browser opens to Spamhaus SSO; sign in and approve. Check the connection any time with claude mcp list.

Claude Desktop

Add it as a custom connector:

  1. Settings → Connectors → Add custom connector.
  2. Name it Deteqtive Passive DNS and set the URL to https://mcp.deteqtive.com/pdns/.
  3. Save, then click Connect. Your browser opens to Spamhaus SSO — sign in and authorise.

The dns_rrset, dns_rdata and dns_status tools then appear in your chats.

Other MCP clients

Any client that supports remote (Streamable HTTP) MCP servers with OAuth can connect. Most use a JSON config like:

{
  "mcpServers": {
    "deteqtive-pdns": {
      "type": "http",
      "url": "https://mcp.deteqtive.com/pdns/"
    }
  }
}

The client runs the Spamhaus SSO sign-in on first use.

Clients that only support local (stdio) servers can bridge to the hosted endpoint with mcp-remote, which handles the browser OAuth and proxies the HTTP server over stdio:

{
  "mcpServers": {
    "deteqtive-pdns": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.deteqtive.com/pdns/"]
    }
  }
}

Troubleshooting

If queries start failing, have your agent call dns_status — it returns your current rate limits and credit usage, which usually explains it (you've hit the plan's quota, or you need to re-authenticate).