How Many "Parts" (or "Labels") Does A Domain Name Typically Have?

← Blog Home

RSS

By

How Many “Parts” (or “Labels”) Does A Domain Name Typically Have?

I. Introduction

Domain names can be thought of as a series of “labels” or “parts” or “chunks” separated with dots.

We’re all familiar with domain names that have three labels, such as www.example.com.

It’s also not unusual to find domain names that have just two labels (such as uoregon.edu) or an “extra” label (as in www.matse.illinois.edu).

But what does the distribution of domain names really look like? Are there domains with more than four labels? More than ten? What does that distribution look like? We decided to look at a day’s worth of data from DNSDB and find out.

II. The Dataset

We arbitrarily selected June 28th, 2017 for this study. The DNSDB Export MTBL file for that date, dns.20170628.D.mtbl, is a medium-sized file, at 31,626,779,104 bytes. That mtbl file is in a compact binary format, but can be exported into a more-convenient text format for simple analyses.

We processed that file with the command pipeline:

$ dnstable_dump -r /export/dnstable/mtbl/dns.20170628.D.mtbl | grep -v ";;" | grep -v "^$" | grep -v ".in.addr." | grep -v ".ip6.arpa." | awk '{print $1}' > rrnames.txt

That command string dumps the rrnames (domain names) from the specified mtbl file, removing any:

-- comment lines (";;") 
-- blank lines ("^$")
-- IPv4 inverse adress records (".in.addr.") and
-- IPv6 inverse address records (".ip6.arpa."). 

We then save the resource record names into a temporary file as a first step.

Once that job finished, we had a list of unsorted resource record names in rrnames.txt, including potentially many duplicate domain names. To eliminate duplicates, we sorted and uniq’d those names:

$ sort -u < rrnames.txt > uniq-rrnames.txt

We then counted the number of “dots” per unique name, outputting one “dot count” per record. Conveniently, because each names end in a trailing dot, a name with two labels will also have two dots, a name with three parts will have three dots, etc. We then counted those dots by saying:

$ sed 's/[^\.]//g' < uniq-rrnames.txt | awk '{ print length }' > rrname-uniq-dot-count.txt

We then sorted the dot counts in descending order by observed frequency of occurrence. Generally, this followed the length of the domain, but in a couple of cases we had to move things around manually to get them in ascending order by label count.

$ sort rrname-uniq-dot-count.txt | uniq -c | sort -nr > rrname-uniq-dot-count-tops.txt

III. The Distribution of Label Counts

The number of unique RRnames with labels can be see in Figure 1. When reviewing Figure 1, note that this graph has log-linear axes.

Figure 1.

Unique RRnames with <N>Labels/Name

Summarizing that graph, 99.98% of all unique RRnames seen have 10 or fewer labels, and 78.36% have just 1, 2 or 3 labels:

Table 1.

Count        # of Labels       % obs     Cum %
----------------------------------------------
1,535        1                 0.00%     0.00%
96,557,627   2                41.48%    41.48%
85,837,909   3                36.88%    78.36%
22,353,662   4                 9.60%    87.97%
16,056,670   5                 6.90%    94.86%
3,094,765    6                 1.33%    96.19%
6,560,952    7                 2.82%    99.01%
1,783,962    8                 0.77%    99.78%
193,365      9                 0.08%    99.86%
279,332      10                0.12%    99.98%

The full raw data associated with this graph can be seen in Appendix I to this article.

IV. The Odd Case Of RRnames with N=30 Labels

The “bulge” at N=30 labels in the graph is obviously noteworthy.

We pulled relevant observations from the raw data with the command:

$ egrep '^([^\.]*\.){30}$' uniq-rrnames.txt > 30-dots.txt

Checking the results, there really are thousands of rrnames with 30 part labels.

Some “defanged” examples:

0.68.106.66.73_-.data_-.03ef31fef90f266f_-.r5---sn-5ualdn7l.gvt1.com_-.edgedl_-.release2_-.aj7czeerus1-_-.59.0.3071.115_58.0.3029.110_chrome_updater.exe.58af.un-6a4b.v3.url.zvelo.com.ecc-untangle.ecc-clinic[dot]org.

0.68.106.66.73_-.data_-.03ef32f2a1e6db82_-.r5---sn-5ualdn7l.gvt1.com_-.edgedl_-.release2_-.aj7czeerus1-_-.59.0.3071.115_58.0.3029.110_chrome_updater.exe.58af.un-6a4b.v3.url.zvelo.com.ecc-untangle.ecc-clinic[dot]org.

0.68.106.66.73_-.data_-.03ef32f76cb086af_-.r5---sn-5ualdn7l.gvt1.com_-.edgedl_-.release2_-.aj7czeerus1-_-.59.0.3071.115_58.0.3029.110_chrome_updater.exe.58af.un-6a4b.v3.url.zvelo.com.ecc-untangle.ecc-clinic[dot]org.

paypal.com.us.webapps.mpp.home.signin.country.x.us.locale.x.en.us.mpp.account.selection.customer.personal.account.info.privacy.legal.contact.home.request.form-check.com.yandex[dot]ru.

Long names similar to these are sometimes used to confuse users and potentially lure them into visiting a malware-dropping or phishing site.

Other names looked like:

daewoo.daewoo.daewoo.daihatsu.daihatsu.daihatsu.daihatsu.daihatsu.daihatsu.bmw.suzuki.bmw.bmw.bmw.bmw.subaru.subaru.subaru.subaru.subaru.subaru.subaru.bmw.bmw.bmw.bmw.test.auto.testquelle[dot]de.

daewoo.daewoo.jeep.jeep.jeep.jeep.daewoo.rover.rover.rover.rover.nissan.nissan.nissan.daewoo.daewoo.daewoo.daewoo.daewoo.daewoo.daihatsu.suzuki.suzuki.suzuki.suzuki.subaru.test.staubsauger.testquelle[dot]de.

daewoo.daewoo.rover.rover.rover.rover.rover.rover.rover.rover.donkervoort.donkervoort.rover.rover.rover.rover.rover.rover.rover.rover.audi.audi.audi.audi.audi.lexus.lexus.donkervoort.was-tun-bei-motorschaden[dot]de.

These names may have been crafted in this format in a misguided attempt at improving search engine rankings.

V. Conclusion

You now know a bit more about how many labels typically make up a domain name on the Internet, and you may be able to see how you could use DNSDB Export datasets to explore DNS-related questions of your own. Please contact Farsight Sales at sales@farsightsecurity.com or visit https://www.farsightsecurity.com/order-services/ for more information about obtaining access to DNSDB Export datasets.

Appendix 1. Raw Data

Frequency     # of Labels
1,535         1
96,557,627    2
85,837,909    3
22,353,662    4
16056670      5
3094765       6
6560952       7
1783962       8
193365        9
279332        10
7994          11
4039          12
6590          13
2378          14
2248          15
1426          16
859           17
679           18
555           19
616           20
500           21
520           22
419           23
336           24
393           25
552           26
342           27
214           28
779           29
6997          30
191           31
169           32
162           33
154           34
168           35
151           36
109           37
108           38
88            39
91            40
72            41
63            42
57            43
57            44
50            45
44            46
44            47
43            48
42            49
40            50
38            51
38            52
38            53
39            54
36            55
35            56
37            57
32            58
33            59
29            60
24            61
15            62
10            63
1             64
2             67
1             70
1             71
1             72
1             79

Joe St Sauver Ph.D. is a Scientist for Farsight Security, Inc.

← Blog Home

Protect against cybercriminal activity in real-time.

Request demo

Email: sales@farsightsecurity.com Phone: +1-650-489-7919