Glacial DNS

The original working title for this was Ice Cube DNS, however given the glacial pace with which Namecheap move, taking an average of 47 hours to disable malicious websites [Source: NCSC], I decided it was a more apt name.

The idea is simple, providing yet another way to try and protect users of networks from becoming victims of scams willingly hosted by some service providers like Namecheap.

Most scam sites are up and running within a few hours (at most) of domain registration. The scammers are obviously expecting to get caught (Namecheap in particular maybe gives them a bit of an advantage in this area) and move on quickly, which leads me to wonder...

Who actually needs to access a new domain name other than the owner of that domain?

Think about it. A new domain name is almost never going to be providing services to the public straight away. It will be poked and prodded at by numerous designers, web developers, marketing people, testers etc before being made generally available. And all these people will have access to easily control their own DNS.

Therefore, by default, why don't ISPs simply block traffic to "new" domain names for a short period of time, even 24-48 hours. It seems unlikely that it would impact most 'general' internet users but it would reduce the effectiveness of almost all of these new scams.

So my experiment in this for now is nicknamed Glacial DNS. Basically it's a hacked-together DNS resolver that checks if a domain has been seen before and, if so, returns DNS normally.

If the domain has not been seen before, it performs a WHOIS query (this does delay the query a little of course the first time), and if it has been registered in the last 48 hours it blocks the name and sets a key in Redis with an expiry time of the registration date + 48 hours.

Sure, it removes the immediacy of domain names, but for 99% of people (and probably 100% of those most likely to be vulnerable to being scammed) do they really need access to a website within hours of its creation? I expect not.