Forensic investigations are often fueled by Domain and DNS research. However, In order to harness the power of domain-based investigations, it’s imperative to understand the anatomy of domains. You’ll notice a short list of critical information regarding the origin of domain data is listed below:
5 Necessary Vocabulary Words:
Registrant: The entity that registers a domain (e.g. me, or DomainTools, or Yahoo)
Registrar: “An official responsible for keeping a register or official records.” (e.g. GoDaddy, eNom, EuroDNS)
Registry: “A place or office where registers or records are kept.” (e.g. Verisign, Neustar, Nominet)
A registry operator, sometimes also called a registry: maintains all administrative data of the domains generates the TLD zone filemay also fulfill the function of a domain name registrar, or may delegate that function to other entities
Registries contract with domain registrars to provide registration services to the public
Where ICANN Fits In:
ICANN is a part of the US Department of Commerce, whose responsibilities include:
National Telecommunications and Information Administration (NTIA)
ICANN: Internet Corporation for Assigned Names and Numbers
IANA: Internet Assigned Numbers Authority
The group that is held responsible for many of the data points that investigators use to move their invesitgations forward is the IANA, whose responsibilites include:
Domain names – administering the root nameservers
IP addresses – delegation of IP address allocations to the Regional Internet Registries (RIRs)
Protocol parameters – port numbers for protocols, recommended character encodings, Uniform Resource Indicator (URI) schemes
Time zone database – time zone differences and rules
IP Address Locations, IP Whois records, and ASN Assignments:
There are 5 Regional Internet Registries (or RIRs) that manage IP address locations, Whois records, and ASN assignments. These RIRs can also be sub-allocated to the National Internet Registries (NIRs). The RIRs and NIRs will then sub-allocate/delegate to the local internet Registries (LIRs) which tend to be ISPs, enterprises, or academic institutions.
Domain Statuses and the Domain Lifecycle:
Registration period: domains are now active, which means they can change nameservers, transfer registrars, host websites, spam and serve up malware
Auto renew grace period is around 30 days
Redemption period is between 14-30 days
Pending delete is close to 5 days
For more statuses visit the ICANN site
Top Level Domains:
There are four types of top level domains: Commercial, Sponsored, country code ccTLD, and new gTLDs. At this point, there are over 1000 TLD’s in existence, and this number continues to grow. Below is a quick breakdown of these TLD categories:
“Legacy” TLDs:
Generic commercial, old-school: .com, .net, biz, .mobi, .org, .info
Generic sponsored: .aero, .int, .pro, .jobs
Country Codes: .de, .it, .ch, .cn, .my, .za
Commercialized Country Codes: .co, .tk, .ly, .tv, .fm, .cc, .me
Oddballs: .mil, .gov
New Generics:
General: .guru, .club, .kred, .ninja, .business, .boats
Brands: .accenture, .icbc, .komatsu, .bmw, .neustar, .thd
Geographic: .nyc, .london, .alsace, .berlin
Oooookkaaayyy: .wtf, .blackfriday, .cyou, .frogans, .gmo, .qpon, .ceo, .rich, .red, .spreadbetting, .sucks, .vodka, .whoswho, .xyz
SLDs:
Many ccTLDs (and a few gTLDs) allow (or require) registration at the third-level:
<domain>.co.uk
<domain>.com.br
<domain>.warszawa.pl
<domain>.hk.com or <domain>.com.de (private subdomains)
Shameless plug: http://labs.domaintools.com/tld-stats/stats
Hopefully these brief definitions and descriptions about the origin of key domain information will help empower your security team to investigate potential threat actors and infrastructure. Please feel free to comment below with any questions!