My next class:

Do you block "new" domain names?

Published: 2014-02-04. Last Updated: 2014-02-04 12:41:39 UTC
by Johannes Ullrich (Version: 1)
14 comment(s)

This is more a quick question then a full post: Many attacks use recently registered domain names. Do you block newly registered domain names (lets say for the first week)? What system do you use to do so? I am thinking about setting up a simple API to return a "days registered" for a domain name, but first want to see what else is out there.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: DNS
14 comment(s)
My next class:

Comments

Cisco Ironport S-Series here does this (sometimes?). Not always to our pleasure ;-)
Yup. Default policy on our web filtering system. All unknown domains registered in the last 14 days. It does require us to manually unblock new legitimate sites being set up by marketing, but frequently catches the embedded URLs of the SPAM campaign du jour. Attackers will no doubt adapt accordingly, but for now it is a useful tactic.
How bout turning on "UNCAT" blocking in your Proxy ?
I wonder if this can be done on the Barracuda 410 Web Filters. Great idea. Wish I had thought of this.
How are you achieving this?
Since automated WHOIS queries are verboten, according to the terms of use, and a number of ccTLDs don't provide any obvious way to lookup this information... where are there bulk data sources available for domain registration dates?
We block all "none" sites through the Blue Coat proxy with a splash page that gives a link for the end-user to submit the site for categorization.
We use OpenDNS and it kind of does this. It looks to see if a new domain is hosted at known bad IP addresses, data centers, or AS numbers (among other things). So this is not a 100% block of new domains, but effectively similar.

Other then a service like this or a rule on an existing web filter, I can't figure out how to do this in an automated way.
Websense does this now with there Potentially Damaging Content category.

But according to there recent Technical Alert:

In the 1st quarter of 2014, Websense Labs plans to update the current Web Category list.
New security categories, introduced in this release, will enable organizations to protect their users from
- Newly Registered Websites
- Compromised Websites
how would you get domain age?

we (farsight security, formerly isc security) are about to create a "new domain channel" on SIE, with corresponding RPZ and DNSBL reputation zones, and a "whois" interface (rate limited but otherwise free) and a REST/JSON API. but we have a very complete passive dns database going back several years, and we see 900GBytes+ per day of DNS "cache miss" traffic. when we think a domain is "new", it probably is new.

without that corpus and flow, "domain age" would be by ZFA deltas from TLD operators, or by whois... or by what else exactly?
We use Websense as a filter. We then allow most categories, and block those inappropriate for work (Legal, HR, etc. reasons).

Any Websense "Misc: Uncategorized" websites are blocked (which would block any on-the-fly newly registered sites). Users can request our Help Desk team review any website and then our Help Desk team submits it to Websense Support for further review. Once Websense Support reviews the site and categorizes it, then our system automatically gets the category update within 24 hours.

Additionally, all abnormal ccTLDs are "greylisted" to warn users and require an override click.

Diary Archives