eBook Now Available: Using Farsight Passive DNS for Incident Response - Download now!

← Farsight Blog

Newly Registered Domains vs. Newly Observed Domains vs. Newly Active Domains vs. Newly Observed Hostnames vs. DNS Changes: What Does "New" Mean?

By

RSS

1. Introduction

While new domains can be created for perfectly innocent purposes, the sad reality is that new domains are often created to facilitate nefarious activities. As a result, cybersecurity people often view new domains with suspicion, at least until their trustworthiness has been carefully scrutinized and found to be satisfactory.

Given that reality, there's been a lot of interest in four of Farsight's products:

  • Newly Observed Domains ("NOD")
  • Newly Observed Hostnames ("NOH")
  • Newly Active Domains ("NAD")
  • DNS Changes

But what's the difference between the four? And how do they differ from some of the "Newly Registered" domain products other security companies may tout? Let's get that last question out of the way first.

2. Dimension One: Newly Observed vs. Newly Registered Domains

The key difference between Farsight's NOD/NOH/NAH products and the "newly registered" products that some other vendors may offer is that Farsight focuses on what we've actually SEEN in LIVE DNS data from our sensor operators, NOT what may show up as "newly registered" in some once-a-day report from TLD operators. This is important for three reasons:

  • Handling The Intra-Day Get-and-Immediately-Abuse Case: Some cybercriminals have been known to register new domains and then IMMEDIATELY begin abusing them, attempting to leverage the period immediately after the domain goes live (but before newly registered domains are disclosed by the TLD operator in daily new domain reports). To understand this tactic, assume a bad guy intentionally registers a new domain for a nefarious scheme just minutes AFTER the daily report of new domains is released by that TLD's operator. Having done so, the bad guy can then proceed to use their newly registered domain with comparative impunity for nearly a full day, confident that their new domain won't be "disclosed" by the TLD operator until the next new domain daily report is released, nearly 24 hours later (that can be a LONG time to be allowed to do bad things if you're an alert bad guy).

    Because Farsight watches for new domains in live network traffic, we can alert subscribers to the existence of new domains as soon as they're seen, thereby allowing you to take steps to protect yourself from these "no-huddle-offense" domains immediately, not after nearly a day of abuse has already happened.

  • Handling Intentionally-Aged Domains: Other criminals may take a more subtle approach, registering new domains and letting their creation become a matter of public record, but refraining from doing anything at all with those domains until they've had time to "age." By taking this laissez faire approach, some cybercriminals may hope to avoid any hypothetical period of "hypervigillance" that may occur immediately after a new domain is announced in a TLD operator's report.

    Because Farsight WATCHES for domain USE rather than for merely relying on domain CREATION reports, we don't care if a domain is created and then left completely domant for months before it is eventually used – we pay attention to ALL domains when we initially see them used.

  • Handling Domains From TLDs That Don't Release Details About New Delegation Points: The final way that our "newly observed" domain products trumps the "newly registered" domain products that others may offer relates to TLDs that don't release details about new delegation points at all. These "tight-lipped" TLDs simply never tell the world what domains have been newly registered. That policy translates to a deadend for sites that rely on lists of newly registered domains, but has no effect on Farsight's empirical/observation-based approach.

3. New Domains ("Delegation Points") vs. New Hostnames ("Fully Qualified Domain Names")

The next dimension to understand when thinking about all these "newly ____" products is "Do they refer to effective second-level domains (aka "delegation points") or hostnames (aka"Fully Qualified Domain Names (FQDNs)")? In Farsight's case, this is the difference between:

When a person or company purchases a domain from a registrar, the domain name they buy is technically known as a "delegation point" or "base domain name." [Technically, we track effective 2nd level domains, as defined by the Public Suffix List (PSL) .] For instance, the name example.com would be a "delegation point." That's what we track in NOD.

When a domain owner creates a name for a computer under that delegation point (such as www.example.com) that's often called a "hostname" or a "fully qualified domain name" ("FQDN"). That's what we track in NOH.

We offer feeds of BOTH newly seen domain names (NOD) and newly seen FQDNs (NOH) because different people have different data needs:

  • There are comparatively few newly observed domains (currently perhaps 2.5 newly observed base domains/second), but many new hostnames (currently perhaps 325 new FQDNs/second).

    Focusing just on new domains may represent an approachable way for new users to get started, sort of like "learning to paddle around the pool" before trying to "swim the English Channel."

  • On the other hand, sometimes you may just have no option but to focus on the "new FQDN firehose." This is the case when the base domain may appear to be totally innocuous, but – once you viewed the fully qualified domain name – it's inescapably-clear that something bad is going on (for example, perhaps a new FQDN is intentionally and confusingly similar to a major bank's domain name).

  • It is also important to look at new FQDNs if you're interested in cyber criminals who are creating new hostnames under large free shared 2nd-level domain names. If you didn't look at FQDNs in that case, all the new hostnames created under large shared 2nd-level domain name would be effectively invisible and impossible to monitor.

4. Newly Observed vs. Newly Active

We've talked about how some bad guys may attempt to "game the system" by creating a new domain and then letting it "age" for a while before first beginning to use/abuse it. Other bad guys may try other approaches, such as:

  • Re-registering and reviving "old" domains that used to be in routine use (but which have now lapsed), or
  • Abusing a domain for a while until it gets block listed, then letting it lay dormant until it gets "forgotten," then re-animinating the domain and abusing it some more until it gets block listed again, then letting it lay dormant until it gets forgotten again, etc.

Farsight has a solution for those sorts of tactics.

Specifically, imagine a cache of domains that have been seen by a Farsight sensor within the last ten days. If a domain gets seen again by a Farsight sensor during that time, the last-seen-time for that domain in the cache gets updated. If a domain gets does NOT get seen during that ten day window, the domain gets purged from the cache. Domains that subsequently get seen (and which are NOT in the recently-seen cache) are what Farsight tracks in its Newly Active Domains feed, SIE Channel 211.

How does this differ from Farsight's Newly Observed Domains feed?

  • Newly Observed Domains are domains that Farsight has NEVER, EVER seen on ANY of its sensors.

  • Newly Active Domains are domains that Farsight hasn't seen on at least one of its sensors within the last TEN DAYS, including brand new domains (NOD) and domains that were observed previously but were not observed for a 10+ day period before the next observation.

Now that you know the difference between Newly Active Domains vs. Newly Observed Domains, you may wonder how the relative volumes compare. At least right now, the answer is:

  • Newly Observed Domains (SIE Channel 212), runs about 2.5 newly observed base domains/second.

  • Newly Active Domains (SIE Channel 211), typically runs 20-30 newly active domains/second.

Clearly many domains "sputter to life" for a bit and then seem to go back to sleep again.

5. DNS Changes

We've now talked about newly registered v. newly observed domains, newly observed base domains vs. newly observed fully qualified domain names, and newly observed domains vs. newly active domains.

We have one other "newly ____" product to explain, and that's "DNS Changes" (aka SIE Channel 214). You can think of Channel 214 as being the "master channel that's all about what's new (or newly changed)."

Not surprisingly, the DNS Changes channel is quite busy, typically running about 900 DNS changes/second.

We're not going to do a deep dive into what a DNS Changes channel record look like here, but know that a new observation gets written to DNS Changes channel whenever:

  • A new domain (aka delegation point) is observed

  • A new RRname (aka "hostname" or "FQDN") is observed

  • A new RRtype is observed for an RRname (for example, perhaps a site adds a AAAA record for an IPv6-connected host). [One exception to this: all DNSSEC-related record types are ignored for the DNS Changes Channel, as well as for Farsight's Newly Observed Domains and Newly Observed Hosts]

  • A new Resource Record is observed (perhaps a hostname gets moved to a new IP address)

  • A new RRset is observed (for example, perhaps an additional name server is added to the set of nameservers returned for a given domain, or a previous set of name servers is presented in a new order).

The other thing you should note about the DNS Changes channel is that there's a hierarchical relationship to the elements in the "new" element display:

• If new_domain is true, new_rrname, new_rrtype, new_rr, and new_rrset will normally ALSO be true

• If new_rrname is true, new_rrtype, new_rr, and new_rrset will normally ALSO be true

• If new_rrtype is true, new_rr, and new_rrset will normally ALSO be true

• If at least one new_rr is true, new_rrset will normally ALSO be true

6. Conclusion

We hope the above discussion has helped to clarify the relationship between Newly Observed Domains, Newly Observed Hostnames, Newly Active Hostnames and DNS Changes. We think you'll be impressed by what they can deliver for you and your company.

Joe St Sauver Ph.D. is a Distinguished Scientist with Farsight Security®, Inc.

← Blog Home