WhoisXML API, Palo Alto Networks & UC Santa Cruz: Analyzing TLD Abuse Trends with Registrar Data
About
Researchers from Palo Alto Networks and the University of California, Santa Cruz conducted a large-scale study examining how the reputation of top-level domains (TLDs) has evolved over time, particularly following ICANN’s expansion of the domain name system.
The research analyzed multiple generations of TLDs to understand how frequently they are associated with non-benign or malicious classifications. As part of this work, the researchers used WhoisXML API’s WHOIS API to obtain registrar information for domains, adding registrar-level context to support their estimation of defensive registrations.
Highlights
-
WhoisXML API WHOIS data provided registrar information at scale for domain datasets.
-
Registrar data enabled the mapping of domains to a curated list of registrars commonly used for defensive registrations.
-
This context helped assess whether defensive registrations influenced observed TLD reputation patterns.
Assessing the Role of Defensive Registrations in TLD Reputation
To evaluate TLD reputation, the researchers needed to determine whether defensive registrations could explain the high share of low-content domains and resulting non-benign classifications observed in newer TLDs.
However, defensive registrations are not directly visible in DNS or passive data. Estimating their presence requires registrar-level context that can be applied consistently across large domain datasets.
Without this, it would be difficult to assess whether differences in TLD reputation were influenced by legitimate brand-protection activity or other factors.
Estimating Defensive Registrations with Registrar Data
To address this, the researchers incorporated WhoisXML API’s WHOIS API into their workflow.
Their methodology included:
-
collecting large-scale domain datasets from DNS and other sources
-
retrieving registrar information for domains using WHOIS API
-
mapping domains to a curated list of registrars commonly used for defensive registrations (based on prior research), as a proxy for estimating defensive activity
This approach allowed them to estimate the share of domains likely associated with defensive registration activity and incorporate that context into their analysis.
Validating TLD Reputation Trends with Registrar Context
By leveraging WhoisXML API’s WHOIS data, the researchers were able to better interpret domain activity patterns across TLDs.
Estimation of defensive registration activity
Registrar data enabled the researchers to estimate the share of domains associated with registrars commonly used for defensive registrations and measure their presence across TLDs.
Limited impact of defensive registrations
Registrar data analysis showed that domains associated with defensive registrars made up only a small fraction of newer TLDs. This helped confirm that elevated non-benign or low-content domain shares were not primarily driven by defensive registrations.