Malicious actors exploit the DNS namespace to launch spam campaigns, phishing attacks, malware, and other harmful activities. Combating these threats requires visibility into domain existence, ownership and nameservice activity that the DNS protocol does not itself provide. To facilitate visibility and security-related study of the expanding gTLD namespace, ICANN introduced the Centralized Zone Data Service (CZDS) that shares daily zone file snapshots of new gTLD zones. However, a remarkably high concentration of malicious activity is associated with domains that do not live long enough make it into these daily snapshots. Using public and private sources of newly observed domains, we discover that even with the best available data there is a considerable visibility gap in detecting short-lived domains. We find that the daily snapshots miss at least 1% of newly registered and short-lived domains, which are frequently registered with likely malicious intent. In reducing this critical visibility gap using public sources of data, we demonstrate how more timely access to TLD zone changes can provide valuable data to better prevent abuse. We hope that this work sparks a discussion in the community on how to effectively and safely revive the concept of sharing Rapid Zone Updates for security research. Finally, we release a public live feed of newly registered domains, with the aim of enabling further research in abuse identification.

翻译：恶意行为者利用DNS命名空间发起垃圾邮件活动、钓鱼攻击、恶意软件及其他有害行为。对抗这些威胁需要掌握域名存在性、所有权及域名服务活动等DNS协议本身未提供的可见性信息。为促进对不断扩展的通用顶级域名（gTLD）命名空间的可见性及安全相关研究，ICANN推出了集中式区域数据服务（CZDS），该服务每日共享新gTLD区域的区域文件快照。然而，大量恶意活动所关联的域名存活时间极短，无法被纳入这些每日快照。通过使用公开及私有的新观测域名数据源，我们发现即使采用最优可用数据，在检测短生命周期域名方面仍存在显著的可见性缺口。研究表明，每日快照至少遗漏1%新注册的短生命周期域名，这些域名常以潜在恶意意图注册。在利用公开数据源缩小这一关键可见性缺口的过程中，我们论证了更及时地获取顶级域名区域变更数据如何为更有效预防滥用提供宝贵数据。本研究期望激发学界关于如何安全有效地复兴"快速区域更新共享"机制以支持安全研究的讨论。最后，我们发布了新注册域名的公开实时数据流，旨在推动滥用识别领域的进一步研究。