While blocking access to and from NRDs may be an effective way to avoid the threats they pose is a good idea, note that not all of them are malicious or suspicious. What if you have legitimate customers or third-party partners, service providers, or suppliers that happen to be using NRDs? The tactic described earlier could disallow them access to your network or even from the mere act of communicating with your employees.
What may work better is monitoring NRDs and blocking them if necessary. For that, you may need two tools—an NRD data feed that gives you an exhaustive list of all domains that recently became part of the Domain Name System (DNS) and a malware checker that checks if any of them are tagged “malicious” on various blocklists.
First off, though, you need to know what NRDs are.
What Are Newly Registered Domains?
NRDs are those that have either been recently registered or updated (in the past few weeks). Not all are, therefore, really new in the sense that they weren’t just created. Some could have been registered long before they were used and belonged to different owners and left to expire (parked but never used), then picked up and used by new owners and employed to host websites.
While many NRDs could be meant for malicious purposes (phishing and malware attacks), others could simply belong to new companies putting up their corporate websites or web pages. Some could also belong to legitimate companies that want to use different domains for each of their offerings or content type.
What Types of Newly Registered Domains Should You Avoid?
Admittedly, however, there are various telltale signs of maliciousness when it comes to NRDs discussed in more detail below.
Machine-Generated Newly Registered Domains
Cybercriminals and attackers are known for automatically creating domains to host their specially crafted malicious websites using domain generation algorithms (DGAs). A DGA can create many domains at a set period of time. These domains direct site visitors to common-and-control (C&C) servers instead of the websites they wish to visit in malware attacks. These domains are usually made up of randomly chosen alphanumeric characters and so don’t typically form words with meanings. An example would be 021andecc[.]com, which was obtained from a .com NRD database for 15 July 2021.
Machine-generated NRDs are often used by malware like Kraken. In fact, it’s the first malware that used the technique way back in 2008.
Typosquatting Newly Registered Domains
Apart from DGA-created domains, threat actors are also known for using domain names that closely resemble those of legitimate and very popular companies (usually the most-phished organizations) to trick users into clicking them. These domains are known as “typosquatting domains,” and increase the chances of redirecting those who clicked them to malicious websites.
An example from the same NRD database mentioned above would be payment-paypal[.]com, which based on its WHOIS record, isn’t owned by PayPal.
Punycode Newly Registered Domains
Another type of NRD that you should probably avoid is a punycode domain. Punycode is a means for non-English speakers to use internationalized domain names (IDNs). An IDN lets them use their own language and alphabet for their domain. But since the DNS uses a limited character set (A–Z and 0–9), punycode translates every character into the limited list of characters (English alphabet letters and numbers) that the DNS recognizes.
An example from the same NRD database would be xn--07apple-y48l[.]com, which was originally written as “07在apple[.]com.”
Current Event-Inspired Newly Registered Domains
Users should also be wary of NRDs that are inspired by popular events. In the months after COVID-19 was declared a pandemic, for instance, the volume of coronavirus-themed domain names surged. And many of these were malicious and only used the disease to entice users into clicking the domains so their computers could be infected with malware or their personally identifiable information (PII) stolen.
An example from the same NRD database would be beforecovid19[.]com.
Now that you know what NRDs are and which ones you should avoid, the next step toward complete threat protection is to obtain access to a list of newly registered domains. But there are tons of such databases out in the market, which one should you choose? You can let the following criteria guide your decision.
Criteria for Choosing a Newly Registered Domain Database
When looking for the right NRD database or list of newly registered domains for your business needs, pick one that meets these specifications:
Number of Supported TLDs
You can only achieve utmost protection if the NRD database you obtain access to compiles data spanning the greatest number of top-level domains (TLDs). As of June 2020, 1,514 TLDs are currently in use. That said, choose an NRD database that supports as close to this number as possible.
Any kind of database is only as effective as the freshness of data it contains. Stale or outdated information is just as useless as having no data to work with. When selecting the right NRD database, therefore, choose one that gets updated daily.
Just as important as having updated data is the format an NRD database uses. Databases are typically fed into systems so they need to be in a format that can be read by most devices. Comma-separated values (CSV) files are preferable, as these can be read by any spreadsheet application. It’s even better if these files are well-parsed or properly formatted for quick correlation (comparison with other databases).
6 Newly Registered Domain Databases You Can Choose From
As we’ve said, tons of newly registered domain lists and databases are available in the market and choosing one that meets all the given requirements can take time. We want to save you the hassle so we shortlisted six products below.
Database # 1: WhoisXML API Newly Registered & Just Expired Domains
WhoisXML API’s Newly Registered & Just Expired Domains Database gets around 100,000 NRDs and 100,000 recently expired domains added to its repository daily. It supports 1,250 gTLDs and comes in CSV format, making it easily integrable into existing systems and applications and readable via any spreadsheet program.
Database #2: Domains Index
Domains Index’s Newly Registered Domains Lists get 85,000 additions and 85,000 expirations daily. Like the previous product, it also comes in CSV format.
Database #3: IQWhois
IQWhois’s Newly Registered Domains Database lets users keep track of 80,000 DNS additions and 80,000 expirations daily. Like the first two products, it is also downloadable as a CSV file.
Database #4: Domain Name Stat
Domain Name Stat’s Newly Registered Domains Data Feeds are updated daily with 90,000 additions and 90,000 expirations. And like the first three solutions above, it comes in CSV format.
Database #5: JsonWHOIS
JsonWHOIS’s Newly Registered or Dropped Domain Names gets a daily addition of 85,000 NRDs and 85,000 expired domains. Like the other four databases above, it is downloadable as a CSV file.
Database #6: WDD
WDD’s Newly Registered Domains offering gets updated with 100,000 NRDs daily. It comes in CSV format as well.
By now, you should be well-equipped to choose the right NRD database for your business requirements that can span across cybersecurity, marketing, brand protection, search engine optimization (SEO), and domaining.