Netskope Global Technical Success (GTS)
Best Practices - Newly Registered Domains (NDRs)
Netskope Cloud Version - 125
Objective
What are the recommended best practices in Netskope for handling Newly Registered Domains (NRDs)?
Prerequisite
SWG or Next-Gen SWG License
Context
Newly Registered Domains (NRDs) are often used in malicious campaigns, including phishing, malware distribution, and command-and-control communications, as they typically have little to no reputation history. Given their potential risk, it is critical to implement appropriate controls and policies.
Do You Know?
- As of May 09, 2025, Netskope maintains a set of 132 predefined web categories, with every internet destination classified into one of these categories. List of Netskope predefined web categories - Link
- What are Newly Registered Domains?
Domains registered for the first time or changed ownership in the last 30 days. Threat actors like to use newly registered URLs for malevolent activities, such as malware hosting and phishing campaigns.
- What are Newly Observed Domains?
Domains observed as active in the last 30 days. Similar to NRDs, NODs might not necessarily be registered in the last 30 days. Threat actors might register a domain and leave it dormant for a period of time to avoid NRD classification. Later, they can use the domain for malicious activities, such as malware hosting and phishing.
- If a domain is registered on the internet today, how long does it take for that domain to be categorized?
- Netskope employs its own engines for URL scanning, and in addition, collaborates with globally recognized partners who provide live feed on newly registered domains.
- Newly registered domains are detected almost immediately, especially if flagged by threat intelligence sources, typically within minutes to hours.
- By default, Netskope classifies new domains as 'NRD' (Newly Registered Domain) for the first 30 days until a customer chooses to recategorize the domain to a non-security risk category.
- What are Netskope recommendations for Newly Registered Domains (NRDs)?
Option 1 (Recommended) | Option 2 | |
Solution | Route NRD traffic to Netskope Remote Browser Isolation (RBI) | Block Web category ‘Newly Registered Domain’ |
Policy Action | Isolate | Block |
License Needed | Remote Browser Isolation (RBI) | SWG or Next Gen SWG |
Notes | RBI license has it additional cost attached |
- Apart from web category NRD what other similar web categories should be blocked?
There are a few web categories which are similar in nature to web category NRD
- Newly Observed Domain (NOD)
- Uncategorized
- No Content
- Parked Domains
For details about the above web categories - Link
Configuration
- Realtime Protection Policy Configuration
Option 1
Path: Netskope Tenant UI >>> Policies >>> New Policy >>> RBI
All about RBI - Link
Option 2
Path: Netskope Tenant UI >>> Policies >>> New Policy >>> Web Access
Author Notes
- It is recommended to review Best Practices - Managing RealTime Policy Structure
- For the recategorization of any domain -
Path: Netskope Tenant UI >>> Skope IT >>> URL Lookup
or
- Raise a support case with Netskope Customer Service
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.