enterprise security tools tips

SecurityTrails Blog · Mar 12 · SecurityTrails team

Newly registered domain feeds

Reading time: 6 minutes

In the current digital era, information is power, and the Internet is run by two main things: domain names and IP addresses. Without both, there would be is no way to reach online services.

We’ve talked about IP intelligence before, and how important it is for modern cybersecurity. Of similar importance are domain names and so-called “domain intelligence,” which includes critical information about domain names. A primary component of domain intelligence related to cybersecurity is newly registered domain names.

So… what are newly registered domains?

As the name implies, newly registered domains are domain names that were just registered, are brand “new,” and have never been registered by any previous owners.

So, if you’re asking yourself the question: “Where can I find a list of recently registered domains?” then you’ve landed in the right place.

Benefits of monitoring newly registered domains

Lists of recently registered domains can be used for multiple purposes, such as for marketing. They can aid in identifying and spying on your competition and their business plans.

And within the cybersecurity field, keeping your eyes on recently registered domains gives you the ability to detect and track suspicious domains that could be involved in malicious activities such as phishing, spam or malware campaigns.

With the huge number of domain registrations performed every day, it’s easy for almost anyone outside of the technical cybersecurity field to get caught up in fake domain campaigns and digital traps set by malicious actors.

Phishing, virus and malware campaigns use different domain generation algorithms to create new domain names every day. The good thing is that cybersecurity companies and SOC teams have multiple ways to track this down and one of those is by exploring newly registered domain databases and feeds, such as the one we offer here at SecurityTrails.

How can your company security team access the newly registered domain feeds?

SecurityTrails offers the most accurate and updated list of domain registration data in the form of a domain feed package, prepared to be downloaded and used at any time by security companies.

First things first: schedule a call with our sales team, so you can gain access to this enterprise solution.

Once you’ve signed up for the service, within the Console area you’ll find the Domain Feed option, where you can filter and fetch any domain feed you need such as:

  • All Domains
  • gTLDs Only
  • ccTLDs Only
Feeds option

While these lists are updated every day, they’re still static lists, so you can download them exactly as they’re presented on the interface.

However, if you need to find newly registered domain names you can use the ‘Generate a Custom Domain Feed Download’ option, which allows you to filter and customize your own feed download, including:

  • Registration Status
  • Top Level Domains (TLDs)
  • Date - Latest or select a date
  • Enrichments

For this example, we’ll simply choose these options:

  • Registration Status: New - first time ever registered domains
  • Top Level Domains: All (or choose the one you need)
  • Date: Latest
  • Click ‘Download’ to get the recently registered domain feed

The custom download configuration should look like this:

Custom download configuration

Once you are done, the interface will generate a .csv.gz binary file containing the desired information.

Supported TLDs

As you can see, we offer multiple ways to filter the type of TLD you need. Whether it’s all gTLD, all ccTLD, or merely a single type of TLD, we enable you to customize the download and get the data you’re seeking.

Are you curious about how many gTLDs and ccTLDS we support?

  • ccTLDs: 257 Country Code Top Level Domains, including popular ones such as .us .de .uk .nl .fr .cn and many more, as you see below:
gTLDs and ccTLDS support
  • gTLDs: When it comes to generic top level domains, we support up to 1299 gTLDs!

Using newly registered domain names for infosec research

Security companies and SOC teams use newly registered domain names for many different goals, and one of those is to prevent security incidents.

You can use our domain feeds to search, filter and manage the domain names to match your own needs, and then perform queries against our domain API endpoints to fetch important information such as: WHOIS, SSL data, Associated Domains, Statistics, Subdomains and more.

Performing a query against our domain endpoints is super easy, as it only requires an HTTPS connection from any client, including your own terminal.

WHOIS

For example, if you’ve detected malicious domains involved in malware, spam or virus distribution, you can easily get WHOIS data by using:

curl --request GET \
--url https://api.securitytrails.com/v1/domain/microsoft.com/whois \
--header 'apikey: your.api.key'

The result will be the instant WHOIS data about the domain:

{
  "updatedDate":"2014-10-15T04:00:12-0700"
  "status":"clientUpdateProhibited clientTransferProhibited clientDeleteProhibited serverUpdateProhibited server ..."
  "registrarName":"MarkMonitor, Inc."
  "nameServers":[
    0:"ns4.msft.net"
    1:"ns2.msft.net"
    2:"ns1.msft.net"
    3:"ns3.msft.net"
  ]
  "expiresDate":"2021-05-02T21:00:00-0700"
  "endpoint":"/v1/domain/microsoft.com/whois"
  "domain":"microsoft.com"
  "createdDate":"1991-05-01T21:00:00-0700"
  "contacts":[
    0:{...}
    1:{...}
    2:{...}
  ]
  "contactEmail":"domains@microsoft.com"
}

DNS records

Malicious domains are always hosted somewhere, and you can get the full DNS map by querying our API as well. In this case, a simple query would reveal any type of DNS records, such as ‘A’ records as in the following example:

curl --request GET \
--url https://api.securitytrails.com/v1/domain/microsoft.com \
--header 'accept: application/json' \
--header 'apikey: your.api.key

The API response:

{
  "hostname":"microsoft.com"
  "endpoint":"/v1/domain/microsoft.com"
  "current_dns":{
    "txt":{...}
    "soa":{...}
    "ns":{...}
    "mx":{...}
    "aaaa":{}
    "a":{
      "values":[
        0:{
          "ip_organization":"Microsoft Corporation"
          "ip_count":37741
          "ip":"104.215.148.63"
        }
        1:{
          "ip_organization":"Microsoft Corporation"
          "ip_count":37734
          "ip":"40.113.200.201"
        }
        2:{...}
        3:{...}
        4:{...}
      ]
      "first_seen":NULL
    }
  }
  "alexa_rank":36
}

Subdomains

Phishing campaigns use a lot of subdomains to trick users with different fake accounts, such as popular banks, payment wallets, social networks and more. And the ability to detect all subdomains from a newly registered domain name enables you to discover malicious campaigns quickly.

Our subdomain endpoint lets you do this easily by using:

Subdomain endpoints

In this case, the domain net16.net contained about 539 subdomains, including numerous phishing cases, such as subdomain.chase-reg.net16.net.

Associated domains

When malicious actors launch their campaigns they never use a single domain for the dirty job, they register multiple domains. What they don’t know is that we have ways to detect all the associated domains from a single apex domain, and run our intel tasks to reveal useful information that can lead to detecting other domains registered by the same person.

In this case, our API offers the associated domains endpoint. We launched this query against the torontoit.com domain that was involved in a recent malware campaign:

curl --request GET \
--url https://api.securitytrails.com/v1/domain/torontoit.info/associated \
--header 'apikey: your.api.key

The output showed 27 associated domains related to the original domain:

Associated domains

IP neighbors

Bad actors often use IP addresses from the same network. The good things is that our API offers you the possibility of detecting IP neighbors in mere seconds:

curl --request GET \
--url https://api.securitytrails.com/v1/ips/nearby/8.8.8.8 \
--header 'apikey: your.api.key'
IP neighbors

Discovering the IP neighbors will let you find associated sites involved in the same, or different malicious campaigns easily.

Know that this is only a fraction of the true power of our API endpoints. There is a lot to discover, including WHOIS and DNS history, IP statistics, User-Agents per IP address, SSL certificates and much, much more.


As you can see, having access to both Domain Feeds and our API gives you the immense power to perform cybersecurity research against any newly registered domain name in seconds. Get in touch with our sales team, schedule a call and begin using our enterprise-grade domain feeds today.

Once you’re registered, we’ll provide you with full control panel access, where you’ll be able to manage all domain feed downloads and fetch regularly updated and accurate data 24 hours a day, seven days a week!.