More than half of the world’s registered domain names – and more than half of live websites – are contained in the top five traditional top-level domain names (gTLDs), including .com, .net, .org, .biz, and .info. These five extensions account for nearly 80 percent of all newly registered domains.

For those and more than 825 new gTLD extensions (e.g., .school, .guru, etc.), LookingGlass has the systems and business relationships that enable us to harvest the zone files, which are the authoritative lists of every new domain name registered (whether live or not), in those extensions each day.

Therefore, our data include the vast majority of new domain names from the day they are registered. We run deltas each day, aggregate all 825+ gTLDs, and generate a daily file containing all of the newly registered domain names for these hundreds of TLDs: essentially a list of new domain names registered in the last 24 hours.

Given the speed with which cyber threat actors leverage and discard domain names, brand new ones are, as a group, much riskier than general traffic and, as such, can constitute an excellent set of indicators for watching or blocking at the firewall, perimeter, or gateway.

In addition, many domain name-generating algorithms and botnets register, use, and throw away domain names with recognizable patterns in the text strings. By leveraging these patterns, often traded in industry forums and information sharing groups such as Information Sharing and Analysis Centers (ISACs), a text-analytics scheme applied to the data can provide potential indications-and-warnings of future attacks or the pre-positioning of infrastructure for future cyber threat activity.

Easy Implementation

The Newly-Registered Domain Data Feed is simple to implement. The feed is delivered as a daily batch file via File Transfer Protocol (FTP) or Secure File Transfer Protocol (sFTP) in plain text, easily imported, indexed, or consumed by almost any type of system.

Next Steps