Domain Threat Monitoring

## Why Monitoring Is Essential Security controls reduce the probability and impact of domain attacks, but no defence is perfect. Monitoring is the layer that detects threats that get through, threats that are building but have not yet struck, and configuration drift that weakens your defences over time. Effective domain threat monitoring answers four questions continuously: 1. Has anything changed with my domain's registration or DNS records? 2. Has anyone registered a domain that looks like mine? 3. Is anyone sending email that appears to come from my domain? 4. Is any infrastructure pointing to my domain behaving unexpectedly? This guide covers each monitoring category, the signals to watch for, and the tools and workflows to use. ## 1. Domain Registration and DNS Change Monitoring The most direct threat to your domain is unauthorized modification of its registration record or DNS. An attacker who gains access to your registrar account can change nameservers, update registrant contacts, initiate a transfer, or delete the domain. Even legitimate (accidental) changes by team members can cause outages. **What to monitor:** - Registrant name, email, and address changes. - Nameserver changes. - DNS record changes (A, MX, TXT, NS records). - Domain lock status changes. - Expiry date changes. - WHOIS last-updated timestamp. **How to monitor:** Enable registrar email notifications for all account and domain changes. Most registrars support this in notification preferences — make sure it is enabled and routed to an email address that is actively monitored. For critical domains, supplement registrar alerts with third-party WHOIS monitoring tools that perform periodic queries and alert on any field change. Set the check interval to no more than 24 hours. Use WHOIS Lookup Tool for on-demand checks whenever you want to confirm current status. **DNS-specific monitoring**: Use a DNS monitoring service or set up automated queries (e.g., cron job + `dig`) for your most important DNS records. Alert on any unexpected change to A, MX, NS, or TXT records. DNS changes that you did not make are a critical incident signal. ## 2. Look-alike Domain Monitoring Typosquatting and brand-impersonation domains are often registered weeks before an attack launches. Detecting them early gives you time to take defensive action — filing takedown requests, flagging phishing infrastructure, or blocking in your email security stack. **What to monitor:** - New registrations containing your brand name (as a substring or with common prefixes/suffixes: login-, secure-, my-, support-, -app, -verify). - Common character substitutions (0 for o, 1 for l, rn for m, etc.). - IDN homoglyphs using visually similar Unicode characters. - Your domain registered under different TLDs. **How to monitor:** **Certificate Transparency (CT) logs** are one of the most valuable monitoring sources. Every publicly trusted SSL certificate issued for any domain is logged publicly and near-real-time. When an attacker sets up phishing infrastructure, they often request a certificate — creating a signal you can detect before the site goes live. Services like CertStream, Facebook's CT Monitor, and Cloudflare's CT log search let you subscribe to new certificate issuances matching name patterns. **Newly Registered Domain (NRD) feeds**: Several threat intelligence providers publish feeds of newly registered domains, filterable by name pattern. Set up alerts for registrations containing your brand name. **Passive DNS services**: Query passive DNS databases for domains that have recently pointed to your IP space or that resemble your domain. ## 3. Email Authentication and DMARC Reporting DMARC aggregate reports provide direct visibility into email being sent using your domain's From: address. This is a primary signal for phishing campaigns built on your brand. **What to monitor from DMARC reports:** - Unknown sending sources (IPs not in your SPF record). - Authentication failures from your legitimate sending infrastructure (misconfiguration signals). - Volume spikes from unknown sources (phishing campaign activity). Configure a `rua` (aggregate) email address in your DMARC record and review reports weekly. Use a DMARC report visualization tool to parse the XML automatically. Act on any unknown sources by identifying them (legitimate vs. malicious) and either authorizing them in SPF or reporting them as phishing infrastructure. ## 4. Uptime and Certificate Monitoring Unexpected downtime or a certificate error can be the first visible symptom of a DNS hijacking or certificate substitution attack. **Monitor:** - HTTP status and content of your primary domain (alerts if response changes unexpectedly). - SSL certificate validity, issuer, and expiry date. - DNS resolution from multiple geographic locations (differences may indicate BGP hijacking or split-horizon poisoning). **Set alert thresholds:** - Alert immediately on any 5xx response or certificate error. - Alert on certificate expiry at 30 days and 7 days. - Alert on unexpected changes to the serving certificate's fingerprint or issuer. ## Monitoring Cadence | Monitoring Type | Frequency | Method | |---|---|---| | DNS record check | Daily (automated) | Monitoring service / cron | | WHOIS registrant check | Daily (automated) | Monitoring service | | CT log alerts | Real-time | CT log subscription | | DMARC report review | Weekly | Email / dashboard | | NRD brand monitoring | Daily (automated) | Threat intel feed | | Manual WHOIS audit | Monthly | WHOIS Lookup Tool | | Full security posture review | Quarterly/Annual | Domain Security Checklist | ## Responding to Alerts Monitoring is only valuable if you act on alerts. Define response workflows before you receive your first alert: - Who receives monitoring alerts? (Not just one person — have a backup.) - What is the escalation path for a confirmed incident? - What registrar, hosting provider, and legal contacts do you need on hand? When an alert fires, triage quickly: is this a false positive, an early warning, or an active incident? If active, move to Domain Incident Response Playbook immediately.