Janos Szurdi (Palo Alto Networks), Reethika Ramesh (Palo Alto Networks), Ram Sundara Raman (University of California Santa Cruz), Daiping Liu (Palo Alto Networks)
Over the past decade, ICANN’s New gTLD Program has dramatically expanded the DNS namespace, raising persistent concerns about its security implications as another round of applications approaches in 2026. In this paper, we present a large-scale, longitudinal study of both malicious and benign domain usage across four generations of gTLDs—legacy, first-wave, second-wave, and third-wave—alongside country-code TLDs. Using four years of longitudinal data from 2021 to 2025, collected from multiple sources including zone files, active DNS measurements, passive DNS feeds, and domain categorizations from a leading global cybersecurity vendor, we develop three reputation metrics to capture utilization trends: the malicious ratio, the malicious-to-benign ratio, and the non-benign ratio.
Our analysis shows that newer gTLD generations are substantially more malicious and significantly less utilized for benign purposes than legacy TLDs. Compared to legacy gTLDs, newer generations exhibit malicious-to-benign ratios that are 3.1–9.2× worse, with these ratios worsening rapidly over time: up to 50× growth in malicious-to-benign ratios within four years for the newest gTLDs. We examine contributing factors to show that lower pricing, higher popularity, and certain TLD categories are strongly associated with worse reputation, while defensive registrations account for only a negligible fraction of domain registrations. Finally, we identify a small number of sponsoring organizations that disproportionately operate gTLDs with severe abuse. Our results underscore the need for continued scrutiny and rigorous evaluation of new gTLDs.