How to Create a Domain Feed for Monitoring
Learn how to configure a Domain Feed in DigitalStakeout to track suspicious or unauthorized domain registrations, subdomains, and hostnames in real time.
How to Configure a Domain Feed for Monitoring
The Domain Feed allows you to monitor for new and existing domains and hostnames based on your target criteria. It’s commonly used to detect emerging threats such as typosquatting, impersonation, shadow infrastructure, and unauthorized subdomains.
This tool is ideal for:
- Brand protection
- Digital footprint surveillance
- Attack surface management
- Early detection of phishing or malicious registrations
🛠️ How to Create a Domain Monitor
1. Define What You Want to Track
Enter values related to:
- Brand names or abbreviations
- Executive or product names
- Variations or common misspellings
- Threat actor names or personas
You can use keywords, domain fragments, or wildcards.
2. Set Monitor Status
Enabled
— Actively watches for matching recordsDisabled
— Keeps configuration without scanning
3. Choose Monitoring Sources
Source | What It Covers |
---|---|
Registered Domains | Newly registered domains from WHOIS |
Forward DNS Hostnames | Subdomains & hostnames from DNS lookups |
Certificate Transparency Logs | New SSL certs revealing emerging domains |
4. Select Domain Protection Options
Option | Description |
---|---|
Typosquat Protection | Detects similar-looking (homoglyph) domain variants |
Subdomain Detection | Flags unauthorized or suspicious subdomains |
Name Server Monitoring | Watches activity tied to specific NS records |
ASN Use Detection | Monitors domains operating within specific ASN ranges |
IP Address Monitoring | Detects domains tied to given IPv4 CIDR blocks |
5. Customize Settings
Setting | Purpose |
---|---|
Typosquat Level | Control detection strictness (Moderate, Aggressive, etc.) |
Wildcard Prefix | Enable right-sided wildcard scanning (*example.com ) |
CIDR Blocks | Add IPv4 ranges for reverse IP monitoring |
AS Numbers / NS | Specify name servers or ASNs of concern |
🧩 Best Practices
- Regularly update keywords to reflect emerging risks
- Align CIDR/IP monitoring with your infrastructure and third-party vendors
- Enable alerting thresholds to avoid noise
- Coordinate domain feeds with other modules (e.g., Presence Feed, Chatter)
Combine Domain Feed with Keyword Feed for full visibility into domain mentions + activity.
Data Source Reference
Domain Feed leverages data from DigitalStakeout Footprint, a continuously updated index of domain registrations, DNS records, certificates, and infrastructure signals.
Example Scenarios
- 🎯 Detect a new
examp1e-support.com
phishing site impersonating your support domain - 🧪 Flag subdomains like
vpn-login.example.biz
outside your owned namespace - 👀 Watch for SSL certs issued using a typo of your product brand
- 🔍 Identify domains hosted on infrastructure previously used by known attackers
For coverage, retention policy, and integration options,
visit DigitalStakeout XTI Data Coverage
Updated 17 days ago