You’ve probably heard that many of today’s threats come from newly registered domains (NRDs). And that’s true primarily in part because these domains and their owners are harder to identify than old ones, especially since the implementation of privacy protection on WHOIS records. Since the onset of the COVID-19 pandemic, for instance, several NRDs registered around the world were used in a malicious campaign.
But what many may know is that there are various kinds of new domains, apart from NRDs typically contained in feeds like https://iqwhois.com/newly-registered-domains. These include newly observed domains, and newly active domains. You may be wondering how one differs from the others. This post describes each kind in greater detail, along with how Domain Name System (DNS) changes can affect the status of existing domains.
Newly Registered, Newly Observed, and Newly Active Domains… What’s the Difference?
NRDs refer to domain names registered or having changed ownership in the past few weeks. How recent they are can be determined via WHOIS lookups and looking at the domain age indicated. Some users rely on an NRD data feed that lists all the domains that made their way into the DNS on a particular date. An example of an NRD would be melroseparknorthentertainment[.]com, which was registered on 28 April 2021.
A newly observed domain, meanwhile, is one that’s recently detected. It may or may not be newly registered but it hasn’t been recorded on any network log before. It could have been bought by a registrant who initially wanted to put up a website but didn’t push through with his/her plans.
If an attacker buys a domain but doesn’t use it until 2022 to host malware for a cyber attack, it will no longer be detected as an NRD but it is considered a newly observed domain. That said, a newly observed domain can also be an NRD if used right away by his registrant.
Newly active domains, like newly observed domains, can also have aged. The difference is that they remain unused but only for certain periods. To illustrate, let’s say that a domain was used in an attack in January 2020. After it was detected and reported as malicious, its owner could decide not to use it again anytime soon for other campaigns. After all, access to it would probably be blocked by companies that subscribe to threat intelligence feeds. After a year or two, suspicions may have gone down, and the Internet property may be used again for another attack, making it a newly active domain.
Like newly observed domains, newly active domains could be NRDs, too.
What Do DNS Changes Have to Do with New Domains?
Every domain typically has DNS records that include mail exchanger (MX), TXT, name server (NS), and other records. These connect the domain to an email server, an IP address, and other identifiers to make it work (i.e., show the user a specific website).
When any of a domain’s DNS record detail is modified, its delegation (newly registered, observed, or active) may change.
Why Is Tracking New Domains Important?
As mentioned earlier, it has become common practice for companies to monitor and track new domains since these often figure in cyber attacks. Cybersecurity experts often advise blocking access to them, in fact, to reduce the number of threats that can affect a network.
Whatever kind of new domain you wish to track, one thing is for sure, it was once newly registered, which makes a subscription to an NRD data feed possibly a good idea. If you’re already blocking access to NRDs, even if they aren’t used for a long time, they won’t be a threat to your network.