Archive for the ‘domain’ Category

Rent an IP, Own a Domain

January 10th, 2017 Comments off

The other day I was on a mission to locate a contact of mine that lived nearby. I had an address, but no phone, or email address. So I got the GPS out, programmed in the address, and away I went.

Arriving at the location, I turned into the driveway, and it was an apartment complex. Hmm, no apartment number…this is not as simple as I’d imagined it would be.
So I quickly knocked on a couple of doors and of course no one knew him. Back to square one.

I was thinking about this, and how it applied to how we look for badness on the Internet. We have all been trained that the Internet runs on IP addresses and that DNS is used to translate domain names to IP addresses. So why isn’t an IP address enough?

Try to imagine a delivery service that has a rule that won’t let it deliver packages to known criminal addresses. As a driver for that service, I have an address that gets flagged by our malicious address tracking service as being a known criminal address. The software that we use to set up our deliveries gets that feed, and now blocks my ability to deliver packages there. That all sounds really good and safe, except for one thing, that address is a high rise apartment building with over 500 legitimate residents that have done nothing to run afoul of the law. But now I’m not able to deliver their packages because our software is blocking my ability to do so.

So let’s see how we can apply this to the current state of the internet. Criminals are well aware of how they can hide their domains on a service that hosts lots of other good domains, and how effective it is to be able to hide amongst those non-malicious domains.

The quick answer as to why domain names are critical in hunting for malicious actors is HTTP 1.1. Before 1.1, an IP address was enough as there was a direct one-to-one relationship. Since HTTP 1.1, you can host multiple domains on a single IP address, and so much like my trip to the apartment complex without an apartment number, you need to have the domain to properly identify the domain that you’re looking for. Just like me not having an apt number to refine my search, not having a domain name means you are likely to hit the same dead end.

As you can see from the image below on a single IP address there are around 340,000 domains hosted.


Starting with HTTP 1.1, one server at one IP address can be multi-homed, i.e. the home of several Web domains. For example, “” and “” can live on the same server.

Several domains living on the same server is like several people sharing one phone: a caller knows who they’re calling for, but whoever answers the phone doesn’t. Thus, every HTTP request must specify which host name (and possibly port) the request is intended for, with the Host: header.

Many times I’ll see a post that says that IP address x.x.x.x is hosting an Exploit Kit, or has been compromised, and so I do a quick reverse IP lookup to find the domain name and see that there are 5, or 500 domains hosted on that IP. Therefore, I have to ask the author of the post which domain is the bad one.

The second reason is that the threat actors we’re searching for own the domain, but are renting the IP address that is hosting the site. “Rented IPs” can be changed when needed, for instance when they begin to notice that they aren’t getting the traffic they need, so they will move their domain to a different hosting provider, or to a different IP address at the same hosting provider. With DomainTools Iris, I can look up where they are currently hosted, and where they have been hosted previously. This is one of the ways the threat actors are looking to stay ahead of us, but with Iris we can begin to get ahead of them.

I know we’d all like to just be able to block at the IP level, as it is simple and quick, but with so many domains hosted at sites that can host hundreds, or thousand of domains, or that are behind a reverse proxy server like CloudFlare, we really need the domains to do a good search.

Our goal at the end of the day is to be able to get ahead of the threat actors by finding and monitoring all of their connected infrastructure.


Network Solution Is Stuffing .Design Domains Into Customers Accounts As “Brand Protection”

March 8th, 2016 Comments off

Network Solutions which stuffed .XYZ domain names into customers account for free, is at it again this time with the new gTLD .Design. Customers of Network Solutions are receiving notices that they are being given a free .Design domain, matching a domain name owned by the customer in a Network Solutions account, under the premise […]

The post Network Solution Is Stuffing .Design Domains Into Customers Accounts As “Brand Protection” appeared first on

89 of The Top 100 New gTLD Domain Holders Are From China

March 8th, 2016 Comments off

We have chatted about the growing influence of Chinese domain investors in the domain industry before, however today I checked out to review the top 100 largest holders of new gTLD domain names and found 89 of the top 100 domain holders are from China. That number gets even more dramatic when you take […]

The post 89 of The Top 100 New gTLD Domain Holders Are From China appeared first on

Rick Schwartz Sells

February 27th, 2016 Comments off

Rick Schwartz has sold the three number .Com domain name for an undisclosed price. Although the price was not disclosed Rick did tell that the “sale is several times larger than the largest current sale of the year.” According to, the top sale of 2016, as of publication is which sold […]

The post Rick Schwartz Sells appeared first on

.Pet Went Live On Tuesday & Has Over 5.4K Domains Registrations

February 25th, 2016 Comments off

The new gTLD .Pet went live into general availability (GA) on Tuesday where is could be registered on a first come, first served basis and according to .Pet has 5,428 domain name registered. There were less than 100 .Pet domain names registered before GA in Sunrise. Godaddy is charging $11.99 for a .Pet domain […]

The post .Pet Went Live On Tuesday & Has Over 5.4K Domains Registrations appeared first on

UDRP Filed on Two Letter .Com Domain

February 20th, 2016 Comments off

A UDRP has been filed on a two letter .Com domain name It appears the domain name was owned in 2014 by Cincinnati Bell Telephone/Fuse Internet then transferred into privacy in September 2014, then transferred to a Raymond Liu in August 2015 and then was transferred to another Chinese buyer in October 2015, and […]

The post UDRP Filed on Two Letter .Com Domain appeared first on

Domain Registration on Record Pace? Over 750K Added Yesterday Alone

February 19th, 2016 Comments off

Registrations of domain names seem to be going on at a record pace. Yesterday saw the number of domain registrations across all Top Level Domain (TLD) names have a net add of over 750,000 domains according to “Net Add” mean its the amount of domains registered less the number of domain names deleted. The […]

The post Domain Registration on Record Pace? Over 750K Added Yesterday Alone appeared first on

In Less Than 2 Years, .XYZ Passes 14 Year Old .BIZ to Become 4th Largest Domain Extension

February 18th, 2016 Comments off

The new gTLD domain name extension, .XYZ is which won’t be two years old until, June of this year, just surpassed the  domain extension .Biz which has been around since 2001 in the number of domain registrations. According to, .XYZ now has 2,369,039 domain name registered which passed .Biz which has 2,305,687 domains registered. […]

The post In Less Than 2 Years, .XYZ Passes 14 Year Old .BIZ to Become 4th Largest Domain Extension appeared first on

.Me Passes 1 Million Domain Name Registrations +28% in 2015

February 17th, 2016 Comments off

The .Me registry announced today that for the 1st time, the number of .Me domain registrations passed 1 Million domains. .Me is the country code or ccTLD for Montenegro. According to the Ministry for the Information Society and Telecommunications, the total number of registered domains amounted to 1,014,867, representing a whopping 28.36% annual growth in […]

The post .Me Passes 1 Million Domain Name Registrations +28% in 2015 appeared first on

.Com Tops 125 Million Domain Registrations

February 15th, 2016 Comments off

According to Verisign (VRSN) the registry for .Com, the number of .Com registration crossed the 125 million mark in the Domain Name Base. The active zone file is just over 124 Million domain names. The active zone file does not include domain names that are not configured for use, and those in client or server […]

The post .Com Tops 125 Million Domain Registrations appeared first on