A study into the use and popularity of the Internet's top-level domains (TLDs) over a 10-year period shows that many newer TLDs may present more of a security nuisance for organizations than anything else.

That's according to Farsight Security, which this week released a 182-page snapshot of top-level domain traffic associated with each of 1,576 TLDs recognized by the Internet Assigned Numbers Authority (IANA). The company's findings are based on passive DNS data from 2010 to 2019 and do not include DNSSEC-related records.

The dataset includes traffic associated with generic top-level domains, such as .com, .net, and .org; country-code TLDs, such as .uk, .ca, and .de; new generic TLDs, such as .aarp, .nba, and .abc; and internationalized domain names, or TLDs with non-Latin characters.

One of the main goals of the study was to get a general sense of how broadly popular — or not — various TLDs have become over the past 10 years. While .com is generally perceived as — and actually is — the largest TLD, there's less information on the uptake of other TLDs after IANA began recognizing a lot more of them in recent years, Farsight notes in its report.

"One aspect of this to ask if it was a valuable extension of the namespace or pointless nuisance" to add more TLDs in recent years, says Ben April, chief technology officer at Farsight Security. The data around TLD use suggests that the latter might well be the case, he says.

"Overall, the new TLDs aren't thriving," April says. Many have a user population and some even show signs of growth. Even so, there is no evidence of the broad migration to sector-specific TLDs that many had expected initially. "We don't see entire sectors — for example, banks — dropping .com as a primary TLD and refocusing on .bank."

From a security perspective, one concern with the growth in the number of TLDs over the past few years is that attackers have more opportunities for spoofing domains for phishing, cyber squatting, and other malicious activities. For instance, by registering a popular brand's domain name on a newer generic TLD and sending phishing emails from there, an attacker might have more success in getting victims to part with credentials and other sensitive information. In a 2019 Proofpoint study, nearly 96% of organizations found an exact match of their brand-owned domain on other TLDs.

Concerns over the threat have prompted interest in so-called defensive registrations where organization register their domains, sometimes in varied grammatical formats, on different TLDs just to prevent others from doing it for malicious purposes.

Varying Risks
What Farsight's data provides is a way for organizations to identify TLDs that present the biggest risk to their brand, April says. "When evaluating risks to your brand, the size of your target surface is directly proportional to the number of TLDs relevant to your brand," he says. "You need to evaluate each TLD to determine the level of risk it presents. This report gives you data to compare how much risk each new TLD represents."

April says the data shows that while some TLDs are likely to be worthy of concern for specific organizations, others can be safely ignored.

For example, TLDs such as .aero and .gov that have access limitations present less of a risk as registrants need to prove their identity. "If you were an airline, you don't have to worry about an attacker registering myairline.areo," April notes. Open TLDs present more of a risk, but even here that risk varies with the relevance of the TLD. "For example, if I were a retailer, I would consider TLDs like .bargains, .blackfriday, .boutique, and .shop more of a risk than TLDs like .university, .travel, and .webcam," he says.

Organizations concerned about brand abuse on new TLDs should also do substring matching, April advises. This is where a TLD may contain part of an organization's domain or brand name. "As example, if you have bobsyoga.com, you might also want to evaluate the value of a defensive registration for bobs.yoga," April says.

Another issue that organizations need to consider is whether TLDs have enough of a critical user base to justify accepting email from them. Decisions would need to be made on a case-by-case basis and after a careful evaluation of each TLD. "The decision to reject mail from an entire TLD is not one to be taken lightly," April says. "Organizations with a low risk tolerance and an identifiable customer/vendor base can use the data in this report to eliminate TLDs that add exposure to their security operations without also adding value."