User-controlled subdomains of top domains

[mosajjal]

Hi,

the title might be a bit out of context. I'm looking for a list that has all the domains (possibly well-known ones) that offer a user-controlled subdomain content. eg:

workers.dev
r2.dev
herokuapp.com
azurewebsites.net

these domains are very popular in phishing, and having this list will allow the analyst to resort to "newly observed subdomain" through passive dns data and determine if the subdomain is new or not.

Looked around and didn't see anything similar to this. any ideas?

[adulau]

It's a very good question. It's kind of the dynamic-dns list but more for SaaS and alike. I'm not aware of such list, maybe we could start one in the misp-warning-lists.

[cxcorp]

The Public Suffix List contains all name suffixes under which an internet user can or at some point could register names. Both Chrome and Firefox use this list. It contains both the ICANN top-level domains etc., as well as private domains under which users can register domains, including workers.dev, r2.dev, herokuapp.com, and thousands of more.

https://github.com/publicsuffix/list/blob/54119e116bb0dc5be5b1c0f4218eaa057db17d92/public_suffix_list.dat#L12448-L12449

https://github.com/publicsuffix/list/blob/54119e116bb0dc5be5b1c0f4218eaa057db17d92/public_suffix_list.dat#L13651-L13653

You would just need to filter the file to remove the ICANN names and select only the private domains after // ===BEGIN PRIVATE DOMAINS===

[mosajjal]

this is awesome. thanks for sharing. I think it's worth it to create a small script to translate this into a warninglist format and update it daily/weekly as well. but looks like the work is (mostly) done!