To keep cybercriminals out, it is essential to identify suspicious domain name registrations as quickly as possible. DNS Belgium explains which data sources can support these analyses and what insights they provide.
Phishing , malware distribution, fraudulent online shops and spam often rely on domain names. That is why it is important for every registry to detect suspicious domain name registrations quickly and accurately.
To do this efficiently, we rely on a range of data sources. However, these sources are often scattered across the online landscape. Together with the NetBeacon Institute and KU Leuven, DNS Belgium researcher Thomas Daniels is therefore developing a white paper that outlines and explains the most important data sources for registries, cybersecurity researchers and industry professionals.
With this white paper, we want to provide a starting point for the many data sources available to detect suspicious domain names efficiently and quickly.
More than a blocklist
A logical starting point is the wide range of blocklists and abuse feeds that contain information on phishing campaigns and malware attacks. While useful, these sources do not detect everything. Organisations that want to identify suspicious domain name registrations at an early stage should therefore combine multiple data sources.
Historical data
Looking back can help you look ahead. A registry’s historical registration database not only provides insight into registered domain names, but also into changes, transfers and deletions over time.
When combined with information on known malicious registrations, this data can reveal patterns. Factors such as the time of registration or recurring choices often indicate that a domain name may not be legitimate, even before it is actively abused.
Websites and DNS traffic
Actively crawling a zone, such as the .be zone, helps reveal how domain names are being used. This information can then support the detection of fraudulent online shops or phishing campaigns.
The same applies to DNS traffic data. Understanding which DNS queries are observed in practice and how they evolve over time can provide valuable signals for identifying suspicious domain names or botnets.
Finally, there is a wealth of external data that can help either identify suspicious registrations or demonstrate that they are legitimate. Popularity rankings such as Tranco can be used to filter out trustworthy domains. IP-related information and specialised malware-domain datasets also contribute to solving the complex puzzle.
Through Daniels’ white paper, DNS Belgium aims to contribute to the overall security of the internet. By mapping the available data sources, we provide a starting point for everyone in the industry working to combat DNS abuse, from registries to cybersecurity professionals.
Is there a single, comprehensive solution? Can abuse be prevented entirely? Unfortunately not. However, by combining data sources and analysing them from different perspectives, online abuse can be detected and addressed more quickly.
We therefore hope that this white paper provides a solid foundation for everyone committed to building a safer internet.
Want to know more?
Discover how different data sources can help to discover DNS abuse faster.
With this article we support the Sustainable Development Goals of the United Nations.