DarkDNS: Revisiting the Value of Rapid Zone Update

TL;DR

This paper examines the limitations of current DNS visibility tools in detecting short-lived malicious domains and proposes more timely data sharing methods to improve security and abuse prevention.

Contribution

It highlights the visibility gap in detecting short-lived domains and demonstrates how public data sources can reduce this gap for better abuse detection.

Findings

Daily DNS snapshots miss at least 1% of new short-lived domains

Public data sources can significantly improve detection of malicious domains

Sharing rapid zone updates enhances security research and abuse prevention

Abstract

Malicious actors exploit the DNS namespace to launch spam campaigns, phishing attacks, malware, and other harmful activities. Combating these threats requires visibility into domain existence, ownership and nameservice activity that the DNS protocol does not itself provide. To facilitate visibility and security-related study of the expanding gTLD namespace, ICANN introduced the Centralized Zone Data Service (CZDS) that shares daily zone file snapshots of new gTLD zones. However, a remarkably high concentration of malicious activity is associated with domains that do not live long enough make it into these daily snapshots. Using public and private sources of newly observed domains, we discover that even with the best available data there is a considerable visibility gap in detecting short-lived domains. We find that the daily snapshots miss at least 1% of newly registered and short-lived domains, which are frequently registered with likely malicious intent. In reducing this critical visibility gap using public sources of data, we demonstrate how more timely access to TLD zone changes can provide valuable data to better prevent abuse. We hope that this work sparks a discussion in the community on how to effectively and safely revive the concept of sharing Rapid Zone Updates for security research. Finally, we release a public live feed of newly registered domains, with the aim of enabling further research in abuse identification.