Do you block "new" domain names?
This is more a quick question then a full post: Many attacks use recently registered domain names. Do you block newly registered domain names (lets say for the first week)? What system do you use to do so? I am thinking about setting up a simple API to return a "days registered" for a domain name, but first want to see what else is out there.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Keywords: DNS
14 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments
Anonymous
Feb 4th 2014
1 decade ago
Anonymous
Feb 4th 2014
1 decade ago
Anonymous
Feb 4th 2014
1 decade ago
Anonymous
Feb 4th 2014
1 decade ago
Since automated WHOIS queries are verboten, according to the terms of use, and a number of ccTLDs don't provide any obvious way to lookup this information... where are there bulk data sources available for domain registration dates?
Anonymous
Feb 4th 2014
1 decade ago
Anonymous
Feb 4th 2014
1 decade ago
Other then a service like this or a rule on an existing web filter, I can't figure out how to do this in an automated way.
Anonymous
Feb 4th 2014
1 decade ago
But according to there recent Technical Alert:
In the 1st quarter of 2014, Websense Labs plans to update the current Web Category list.
New security categories, introduced in this release, will enable organizations to protect their users from
- Newly Registered Websites
- Compromised Websites
Anonymous
Feb 4th 2014
1 decade ago
we (farsight security, formerly isc security) are about to create a "new domain channel" on SIE, with corresponding RPZ and DNSBL reputation zones, and a "whois" interface (rate limited but otherwise free) and a REST/JSON API. but we have a very complete passive dns database going back several years, and we see 900GBytes+ per day of DNS "cache miss" traffic. when we think a domain is "new", it probably is new.
without that corpus and flow, "domain age" would be by ZFA deltas from TLD operators, or by whois... or by what else exactly?
Anonymous
Feb 4th 2014
1 decade ago
Any Websense "Misc: Uncategorized" websites are blocked (which would block any on-the-fly newly registered sites). Users can request our Help Desk team review any website and then our Help Desk team submits it to Websense Support for further review. Once Websense Support reviews the site and categorizes it, then our system automatically gets the category update within 24 hours.
Additionally, all abnormal ccTLDs are "greylisted" to warn users and require an override click.
Anonymous
Feb 4th 2014
1 decade ago