Newly Observed Domains are created and published every day as part of the Domain Name System (DNS) – but not all of them are created for legitimate purposes. Bad actors use new domains for criminal activities such as spam, malware distribution or botnets in the first minutes of creating them.
Security teams need real-time information regarding new domain usage so that they can apply rules to block access until security providers have time to analyze the domains – and threats can be avoided. Security analysts don’t have a way to gather and analyze this information in a timely manner because it is broadly distributed across name servers around the world.
Infoblox provides two threat intelligence feeds on newly observed domains:
- Farsight™ Newly Observed Domains (NOD)
- SURBL™ Fresh
Farsight™ NOD
This feed will add the new domain when:
- When someone tries to resolve the newly registered domain for the first time. The domain will stay on the list for 72 hours.
- The listing is based upon real world activity. If a domain is purchased, but not used it will not be listed.
SURBL™ Fresh
This feed will add the new domain when:
- The new domain is listed when the domain is registered. It stays in the list for 72 hours. No activity is necessary.
- Change of ownership of the domain will cause a listing too.
Why would you use both?
Having these two feeds will cover the bases in terms of blocking newly observed domains. Farsight™ NOD will list domains regardless based upon activity and SURBL™ Fresh will list new domains based upon when the domain is registered without activity.
After 72 hours, if the domain is determined to be malicious, it will be placed into other feeds.
