While some domainers allegedly brainstorm ideas for new domains to register while taking a shower, the more successful domain portfolio managers, working at scale, are believed to be ‘data driven.’ DNS queries are a material source of intelligence about domainer opportunities and operations, and also help us to understand the operational constraints around potentially combating domainers, should we want to do so. In this presentation co-authored with Farsight Security Scientist Dr. Joe St Sauver, Farsight Security CEO Dr. Paul Vixie will scrutinize failed DNS queries (‘NXDOMAINs’), looking for the same ‘opportunities’ that a domainer or typo squatter would (although we will not be acting on that data by actually registering domains).
Dr. Vixie will discuss two primary types of behavior: 1) Volumetrically-driven typo-squatting, which Dr. Vixie will measure by computing the volume of NXDOMAINs seen by domain during a 24 hour period, and the time between popular typos appearing in NXDOMAINs and those same domains being registered and actually used, and 2) Domainers programmatically exploring permutations of domains around high value domains, probing for available domains and automatically registering the most promising probed domains discovered to still be available. Both of these hypothesized behaviors should be externally observable and thus able to be confirmed by watching a real-time stream of NXDOMAIN errors, and a real-time stream of newly observed, actually-registered domains, as available from the Security Information Exchange.
Dr. Paul Vixie will experimentally confirm these hypothesized relationships and describe examples of (1) the most commonly observed types of typographical errors, (2) the brands apparently most-targeted for squatting, (3) the distribution of delays from NXDOMAIN detection to observed domain use, (4) the potential relationship between NXDOMAIN volume thresholds and TLD cost. Dr. Vixie will also explain how this information illuminates opportunities for tackling these types of domain name abuse. Time will be reserved for Q&A.