2021-06-28: API Update - v2 RIOT Additional Key

Update to v2 RIOT API Endpoint

An update has been pushed to the v2 RIOT endpoint to now include a string response for "trust_level" in addition to the existing keys. The updated response from the endpoint is now:

  "category": "public_dns",
  "description": "Google's global domain name system (DNS) resolution service.",
  "explanation": "Public DNS services are used as alternatives to ISP's name servers. You may see devices on your network communicating with Google Public DNS over port 53/TCP or 53/UDP to resolve DNS lookups.",
  "ip": "",
  "last_updated": "2021-06-28T13:55:46Z",
  "logo_url": "",
  "name": "Google Public DNS",
  "reference": "",
  "riot": true,
  "trust_level": "1"

Trust Levels help to indicate benign confidence.

trust_level 1:
The RIOT data resource is conclusive. GreyNoise has high confidence the data extracted by RIOT data resource is reliable and a confident attribution to the target entity.


  • Zoom: Directly declared as being required to use Zoom
  • Google: Google clearly owns and operates this such that data coming from these IPs are attributable to Google

trust_level 2:
The RIOT data resource may not have a direct attribution to the internet actor. A trust_level 2 is given to a subset of a data resource that is known to lease their IPs to other entities.


  • Cloudflare: While necessary for large portions of the internet to function properly, these are not easily attributable. This is something, as an admin, you may not have a choice to block because it will prevent a significant portion of normal internet usage