Forensic investigations are often fueled by Domain and DNS research. However, In order to harness the power of domain-based investigations, it’s imperative to understand the anatomy of domains. You’ll notice a short list of critical information regarding the origin of domain data is listed below:

5 Necessary Vocabulary Words:

Registrant: The entity that registers a domain (e.g. me, or DomainTools, or Yahoo)

Registrar: “An official responsible for keeping a register or official records.” (e.g. GoDaddy, eNom, EuroDNS)

Registry: “A place or office where registers or records are kept.” (e.g. Verisign, Neustar, Nominet)

A registry operator, sometimes also called a registry: maintains all administrative data of the domains generates the TLD zone filemay also fulfill the function of a domain name registrar, or may delegate that function to other entities

Registries contract with domain registrars to provide registration services to the public

Where ICANN Fits In:

ICANN is a part of the US Department of Commerce, whose responsibilities include:

National Telecommunications and Information Administration (NTIA)

ICANN: Internet Corporation for Assigned Names and Numbers

IANA: Internet Assigned Numbers Authority

The group that is held responsible for many of the data points that investigators use to move their invesitgations forward is the IANA, whose responsibilites include:

Domain names – administering the root nameservers

IP addresses – delegation of IP address allocations to the Regional Internet Registries (RIRs)

Protocol parameters – port numbers for protocols, recommended character encodings, Uniform Resource Indicator (URI) schemes

Time zone database – time zone differences and rules

IP Address Locations, IP Whois records, and ASN Assignments:

There are 5 Regional Internet Registries (or RIRs) that manage IP address locations, Whois records, and ASN assignments. These RIRs can also be sub-allocated to the National Internet Registries (NIRs).  The RIRs and NIRs will then sub-allocate/delegate to the local internet Registries (LIRs) which tend to be ISPs, enterprises, or academic institutions.

Domain Statuses and the Domain Lifecycle:

Registration period: domains are now active, which means they can change nameservers, transfer registrars, host websites, spam and serve up malware

Auto renew grace period is around 30 days

Redemption period is between 14-30 days

Pending delete is close to 5 days

For more statuses visit the ICANN site

Top Level Domains:

There are four types of top level domains: Commercial, Sponsored, country code ccTLD, and new gTLDs. At this point, there are over 1000 TLD’s in existence, and this number continues to grow. Below is a quick breakdown of these TLD categories:

“Legacy” TLDs:

Generic commercial, old-school: .com, .net, biz, .mobi, .org, .info

Generic sponsored: .aero, .int, .pro, .jobs

Country Codes: .de, .it, .ch, .cn, .my, .za

Commercialized Country Codes: .co, .tk, .ly, .tv, .fm, .cc, .me

Oddballs: .mil, .gov

New Generics:

General: .guru, .club, .kred, .ninja, .business, .boats

Brands: .accenture, .icbc, .komatsu, .bmw, .neustar, .thd

Geographic: .nyc, .london, .alsace, .berlin

Oooookkaaayyy: .wtf, .blackfriday, .cyou, .frogans, .gmo, .qpon, .ceo, .rich, .red, .spreadbetting, .sucks, .vodka, .whoswho, .xyz


Many ccTLDs (and a few gTLDs) allow (or require) registration at the third-level:




<domain>.hk.com or <domain>.com.de (private subdomains)

Shameless plug: http://labs.domaintools.com/tld-stats/stats

Hopefully these brief definitions and descriptions about the origin of key domain information will help empower your security team to investigate potential threat actors and infrastructure. Please feel free to comment below with any questions!

Show more