What's the Big Deal about New Domains?

By Joe St Sauver, Distinguished Scientist/Director of Research for Farsight Security, Inc.

One of the areas that Farsight Security, Inc., (FSI) has chosen to focus on is newly observed domain names. You might wonder, "Sheesh, why anyone would bother paying attention to new domain names? People create new domain names all the time, right?" It's true. Anyone can create new domain names – you may even have purchased some of your own. However, as we'll see, most new domains aren't created by well-meaning people. As FSI's own CEO, Dr. Paul Vixie observed in his CircleID article, "Taking Back the DNS:"

"Most new domain names are malicious.
I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse."

The Value Proposition Behind Tracking New Domain Names

If most newly created domain names are "dreck or worse," why track them? Well, if you could quickly and reliably tell that a domain name you're seeing is new, you might simply decide to wait a bit before accepting traffic from a server using that new name.

Waiting a few hours (or even a whole day) before talking to a new domain is of little consequence if that domain is legitimate, but waiting a day (or even just a few hours) can make a huge difference when it comes to dealing with a domain that's malicious. To understand why, remember that the bad guys count on being able to quickly create a new domain, immediately begin to misuse/abuse it, and then repeat the process as needed. This approach lets at least some bad guys stay one step ahead of the good guys, routinely hopping from one new malicious domain to another one. If you temporarily block access to their new domains, you can automatically avoid a lot of risk with very little in the way of collateral damage.

Why are the Bad Guys in Such a Continual Hurry? Why Do They Constantly Need New Domain Names?

Cyber security is often framed as a "race" between the attackers and the defenders, with the bad guys trying to do their deviltry before the good guys can react. This tends to be particularly true for domain names. This is because:

  1. The domain name may have been purchased using a stolen credit card. Because investigators routinely "follow the money" to learn the identity of a cybercriminal, bad guys normally won't buy domain names using their own credit cards (bad guys understand that it would be easy to go from a bad domain name, to the credit card used to purchase it, to the card holder's real world identity), preferring to use someone else's (stolen) credit card, instead. Of course, once that stolen credit card gets detected, any domain name purchased with that card will quickly get suspended by their registrar.
  2. The domain name may have bogus whois data, including an invalid email address. Investigators will also routinely investigate the point of contact information provided when registering a domain. Cybercriminals know that. Knowing that, they're normally not dumb enough to register malicious domains with their own name and address information. On the other hand, if a cybercriminal proceeds to register a domain with fictitious contact information, and that's discovered, the registrar must suspend the domain name. This means that using bogus domain name point of contact information is yet another factor driving constantly changing cybercriminal domain name usage.
  3. Anti-spam/anti-phishing companies may also be hot on the abuser's trail. If blocklisting organizations can identify a domain that's being abused, they'll quickly block list it. The most heavily abused domains are often the top priority for blocking. Using multiple domain names may help keep an single spamvertised domain name from looking too prominent (e.g., by spreading the traffic load across many domains and thereby helping the spammer to try to "fly under the radar"); when those domains end up blocked nonetheless, still more domains are required.
  4. Law enforcement officers may have opened a case. Criminals may have the mistaken belief that by simply shuffling their misbehavior over to a new domain name, an ongoing investigation can be derailed, or at least substantially complicated.

All of these factors and more drive a typical miscreant to go through domain names the way most of us might eat bridge mix. Let's look at data publicly shared by Mr. Joe Wein, a leading anti-spammer, to see a concrete example of this phenomena.

Joe Wein's Domain Blocklist Entries

Joe Wein is the creator of the Microsoft WindowsTM anti-spam package jwSpamSpy and a major contributor of domain data to the popular and widely-trusted SURBL domain blocklist. Unlike many other anti-spammers, Mr. Wein offers a public web page with a list of domains that he's recently blocklisted, complete with details about the date when those domains were registered, and the dates when those domains were blocklisted by him. He had 41,071 domains on that page when we recently retrieved it, representing domains blocklisted by him over the last 30 days. With that data, we can see the time that passed between those domains getting registered, and those domains getting blocklisted by Mr. Wein. If a domain was registered by a spammer and then blocklisted by Mr. Wein on the same day, the delay would be zero days. If a spammer registered a domain one day, and that domain was blocklisted by Mr. Wein the next day, the delay would be one day, and so forth. We can see the distribution of delays for Joe Wein's data in the following graph.

blocklist graph

Farsight Security® Newly Observed Domain (NOD) Product

Let's now talk a little about Farsight Security's actual NOD product. NOD is generated from Security Information Exchange (SIE) Channel 212. Channel 212 contains newly active base domain names (these are domain names that have NEVER been seen by a Farsight sensor node (since DNSDB started in June 2010)). Channel 212 has a volume of roughly 50,000 domains/day.

The 50,000 domains/day on channel 212 is quite a tractable number of domains, and if anything, may actually seem like a surprisingly small number. However, consider that over the last five years, Farsight has already seen most domains that are in use. The remaining ~50,000 domains/day represent either genuinely brand new domains (not surprising, given the creation of many new gTLDs recently by ICANN), or domains that have been around for a while, but which have somehow managed to elude Farsight's 450+ Passive DNS sensors nodes till now.

NOD data products are derived from channel 212, and are normally distributed to subscribers either via rsync on a minute-by-minute basis (used for blocking email in conjunction with rbldnsd), or via incremental zone transfers (IXFR) for use in temporarily blocking all network access to the new domains via BIND.

Farsight Security's NOD Focuses on the First 24 Hours of Actual Usage

One point that sometimes confuses people when they hear about NOD is the short duration of time it focuses on. Can blocking domains for just a day or less really make a difference? Yes! To understand why, remember:

  • Obviously, there's no particular need to worry about a domain name before it's actually in use.
  • After 24 hours (or even less), any aggressively-misused domain name will have become so widely and persistently blocklisted (based on its actually-observed misuse) as to be effectively unusable forever. It's the brief day-long-or-less period "in-between" while people are figuring out what's up when NOD delivers critical "bridge" protection for its subscribers.

Subscribers using NOD get to decide if they want to block/ignore new domains for periods ranging from five minutes to 24 hours, as represented by coded values incorporated in the rbldnsd-format and RPZ-format files:

  • 127.0.0.2 0-5 minutes
  • 127.0.0.3 5-10 minutes
  • 127.0.0.4 10-30 minutes
  • 127.0.0.5 30-60 minutes
  • 127.0.0.6 1-3 hours
  • 127.0.0.7 3-12 hours
  • 127.0.0.8 12-24 hours
  • NXDOMAIN domain name not in the NOD database

Exact domain observation time data is also available, for those who may want to use a custom time interval.

For more information about subscribing to NOD, visit our NOD Solutions page.

Want to learn more?

Protect against cybercriminal activity in real-time.

Request a free demo
Bilin