Abstract
The domain name system (DNS) is a key component
of the Internet. The DNS is essentially a hierarchical and
distributed database that involves – and is operated by – many
independent parties that fulfill various roles. Top-level domains
such as .com and .co.uk are run by registries. Registrants can
register domain names, usually through so-called registrars, but
sometimes directly with the TLD registry.
Domain names go through a well-defined life-cycle and names
that are only short-lived in ways break expectation. In this
paper, we study domain name lifetimes at scale and over a tenyear period. We focus on ten prominent TLDs and observe that
under most, the vast majority of lifetimes (95%) last exactly the
minimum registration term of one year. The exception to this
is .com, which sees 40% of lifetimes renewed for at least one
more year. We also identify lifetimes that are suspiciously shortlived (e.g., 80% under .xyz). Using blocklist data we confirm
that about 25% are reportedly malicious and study indicators if
names are taken down and how quickly. Finally, we empirically
study malicious name registration campaigns and show that this
involves registrars that offer bulk registration options.
of the Internet. The DNS is essentially a hierarchical and
distributed database that involves – and is operated by – many
independent parties that fulfill various roles. Top-level domains
such as .com and .co.uk are run by registries. Registrants can
register domain names, usually through so-called registrars, but
sometimes directly with the TLD registry.
Domain names go through a well-defined life-cycle and names
that are only short-lived in ways break expectation. In this
paper, we study domain name lifetimes at scale and over a tenyear period. We focus on ten prominent TLDs and observe that
under most, the vast majority of lifetimes (95%) last exactly the
minimum registration term of one year. The exception to this
is .com, which sees 40% of lifetimes renewed for at least one
more year. We also identify lifetimes that are suspiciously shortlived (e.g., 80% under .xyz). Using blocklist data we confirm
that about 25% are reportedly malicious and study indicators if
names are taken down and how quickly. Finally, we empirically
study malicious name registration campaigns and show that this
involves registrars that offer bulk registration options.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 6th edition of the Network Traffic Measurement and Analysis Conference (TMA Conference 2022) |
| Publisher | International Federation for Information Processing (IFIP) |
| Number of pages | 9 |
| ISBN (Electronic) | 978-3-903176-47-8 |
| Publication status | Published - 27 Jun 2022 |
| Event | 6th Network Traffic Measurement and Analysis Conference, TMA 2022 - University of Twente, Enschede, Netherlands Duration: 27 Jun 2022 → 30 Jun 2022 Conference number: 6 https://tma.ifip.org/2022/ |
Conference
| Conference | 6th Network Traffic Measurement and Analysis Conference, TMA 2022 |
|---|---|
| Abbreviated title | TMA 2022 |
| Country/Territory | Netherlands |
| City | Enschede |
| Period | 27/06/22 → 30/06/22 |
| Internet address |