Towards more rigorous domain-based metrics: quantifying the prevalence and implications of “Active” Domains

The Domain Name System (DNS) is a critical component of the internet infrastructure. As such it is often the subject of various measurements with a view to quantifying different aspects of its use. Some of these measurements cover legitimate uses; however, identifying any threats associated with domain names has also become a vital task in enhancing DNS security. Current abuse metrics used for identifying malicious domains typically rely on the count of domains listed on Reputation Blocklists and are normalized by the size of the zone for registries or domains under management for registrars. However, these metrics are imprecise and do not account for whether the domain name is resolvable or serves active content. In this paper, we propose a novel approach to identify active domains, which account for domains that serve actual content under the control of the registrant. We demonstrate the proportions of inactive, active, and non-resolving domains across different samples of the name space. Our findings suggest that current normalized metrics are not necessarily giving a true picture of the underlying situation. By introducing a more precise classification system for domains, we show how this can lead to more reliable and robust metrics that can, for example, enhance DNS security by enabling a more thorough analysis of active domains. We also discuss the implications of these findings for registries and registrars, highlighting how they can use this information to combat domain abuse more effectively.