Digital Risk Intelligence: Download Domain Lists by TLD

Introduction

In a world where brand abuse and phishing campaigns ride on the back of domain names, digital risk intelligence programs rely on reliable access to bulk domain data. Security teams routinely seed alerts, train models, and monitor registrations that could impersonate a brand. Yet raw lists are not enough, you must understand how to access them legally, how to interpret them accurately, and how to weave them into an ongoing risk workflow that scales. This article explains how to think about domain lists by TLD (top-level domain), with a candid look at the realities around .my, .no, and newer TLDs such as .cfd, and what that means for brand protection practitioners.

Understanding domain lists and why they matter

Domain lists come in multiple formats, and the right format depends on your risk model and compliance constraints. The classic format is a zone file - a snapshot of registered domains under a given TLD at a specific moment. Zone files are powerful for bulk checks and long-tail trend analyses, but access is not universal. ICANN’s Centralized Zone Data Service (CZDS) is the centralized gateway for requesting zone files from participating generic TLD registries, subject to vetted use cases and contractual agreements. For practitioners building digital risk intelligence capabilities, CZDS represents a reliable, policy-aligned path to large-scale domain data for gTLDs. See ICANN’s CZDS overview for how access is requested and managed. ICANN CZDS and the Zone File Access policy pages provide practical context on how access is granted and what obligations come with it.

Beyond CZDS, the broader data picture includes WHOIS and RDAP records, which describe registration details such as registrant organization, contact points, and domain lifecycle information. As the industry gradually shifts toward RDAP (Registration Data Access Protocol) for standardization and privacy improvements, organizations often blend RDAP lookups with zone-file-derived lists to validate candidates and enrich risk signals. The RDAP transition is documented in policy and governance discussions, and the IANA/RDAP ecosystem provides the bootstrap and discovery mechanisms that locate the right RDAP server for each TLD. For a concise overview of RDAP, see the ICANN CZDS documentation and related policy discussions, which frame how bulk zone data and individual lookups fit together in a risk program.

Accessing bulk domain lists by TLD: what is possible?

For many security and risk teams, bulk access to domain data starts with CZDS for generic TLDs such as .com, .net, and .org. The path typically looks like this: apply for access through CZDS, obtain approval from the registry operator, and then download the latest zone files on a cadence that matches the data refresh rate of that TLD. Zone files are updated periodically (often daily for active TLDs) and can be large files that require robust data processing pipelines. The CZDS portal provides the formal mechanism to request and receive these zone files, it also outlines the governance around acceptable use and redistribution of the data. See ICANN’s CZDS hub for the current process and registry-specific requirements. ICANN CZDS and the CZDS-related policy writeups offer concrete guidance on access timelines, compliance, and what to expect in terms of data cadence.

Not all TLDs participate in CZDS, and many country-code TLDs (ccTLDs) or brand-specific TLDs have different data-sharing policies. In practice, this means that if you are looking for bulk lists for TLDs such as .my (Malaysia), .no (Norway), or newer or brand-oriented TLDs like .cfd, you may need to explore registry-specific pathways - direct negotiations, licensing agreements, or participation in a registry’s data-sharing program. The global picture, however, remains consistent: central, policy-compliant access to zone data for gTLDs via CZDS, ccTLDs often require direct engagement with the registry operator or alternative data providers who aggregate and license data under their own terms. For organizations evaluating the feasibility of CZDS versus registry partnerships, it’s important to map data needs against access terms and refresh cadences. The CZDS framework is the industry’s best-documented route for bulk gTLD data, and the Zone File Access policy notes the obligations that come with use of a registry’s zone files. Zone File Access and the CZDS help pages provide the authoritative baseline for this work.

Practical workflow: building a TLD-aware domain watch

To turn bulk lists into usable risk signals, teams need a repeatable workflow that respects data provenance, licensing, and operational realities. Below is a pragmatic workflow that aligns with modern digital risk intelligence practice while staying mindful of the constraints around .my, .no, and .cfd contexts.

• Define scope and data governance: Start with a risk-focused scope - which brands, markets, and campaigns matter most? Define data-use terms, retention windows, and compliance boundaries before touching any dataset. This ensures licensing terms are respected from the outset and that data handling aligns with your risk program’s governance.
• Acquire bulk zone data where possible: For gTLDs, submit CZDS requests for the relevant zone files and establish a cadence that matches your alerting and monitoring needs. This provides a high-coverage baseline against which to run detections and enrich with other signals. The CZDS framework is specifically designed to centralize access to many TLDs and to streamline data distribution to approved users. ICANN CZDS
• Address ccTLDs and non-participating TLDs thoughtfully: When a TLD doesn’t participate in CZDS, plan registry-facing paths or licensed providers that offer data under controlled use. This ensures you are not relying on incomplete data for risk judgments involving jurisdictions where the registry controls data access differently.
• Enrich and validate domain lists: Use RDAP lookups to enrich candidate domains with registration details, creation/expiration dates, and nameserver information. RDAP complements zone files by providing up-to-date records at the individual-domain level, and is part of the broader shift from WHOIS to a standards-based data access model. For an overview of why RDAP matters, see the CZDS and governance literature on data access and the RDAP transition.
• Normalize, deduplicate, and dedup risk signals: Combine data from zone files and RDAP into a single canonical dataset. Normalize domain casing, time-stamps, and registrant fields to enable accurate deduplication and trend analysis. Deduped, enriched lists form the backbone of proactive risk monitoring rather than a one-off lookup table.
• Automate alerting and enrichment: Set up rules to flag new registrations that match brand variants, suspicious typos, or geographies of interest. Tie these alerts to your incident response and brand protection workflows so that investigations begin promptly when a threat is detected.
• Validate with a trusted risk-data partner when needed: For teams that require more than DIY pipelines, partnering with a domain intelligence provider can help fill gaps, provide standardized data access, and offer an integrated risk platform. See the example below for how a partner data layer can fit alongside CZDS-derived lists.

In practice, risk teams seldom rely on a single data source. A layered approach - combining bulk zone data, registry RDAP lookups, and modern data-provision platforms - yields more reliable signals and faster triage. The practical upshot is that a robust digital risk intelligence capability is built on quality data, a clear license to use it, and a repeatable workflow that scales with your threat landscape.

Expert insight

Expert insight: Data provenance and licensing terms are critical when using bulk domain lists. Always pair raw zone files with ongoing monitoring and enrichment to reduce false positives and keep risk signals trustworthy.

Structured decision framework: choosing sources and workflows

When planning a domain-list strategy, use the following framework to balance coverage, legality, and operational overhead. This is presented as a lightweight framework you can adapt to your organization’s risk tolerance and regulatory environment.

• Access and licensing: Prefer sources with clear licensing terms and an approved-use model. For gTLDs, CZDS provides a well-documented access path, for ccTLDs and brand TLDs, confirm registry terms or rely on licensed providers. This ensures you avoid licensing pitfalls or data-use restrictions that could derail a risk program.
• Coverage and completeness: Understand the trade-off between zone-file breadth and practical latency. Zone files give wide coverage, but not all TLDs participate, supplement with targeted RDAP lookups for critical domains and regions.
• Update cadence: Zone files are typically refreshed daily or more frequently for active zones, but some TLDs may update slower. Align cadence with your alerting needs to minimize stale signals.
• Data enrichment: Combine zone data with RDAP/WHOIS for context on registrations, and consider integration with a risk dashboard that supports operator workflows and incident response handoffs.
• Cost and governance: Weigh the cost of data licenses against the risk you’re mitigating. Build governance around usage, data retention, and sharing rules to avoid compliance issues and ensure your program remains auditable.

For teams evaluating options, these considerations help decide whether to rely primarily on CZDS zone files, to incorporate registry RDAP/enrichment, or to work with a data partner that can provide a unified feed with consistent licensing terms. In practice, many risk programs combine all three approaches to balance coverage, accuracy, and operational practicality.

Limitations, trade-offs, and common mistakes

• Relying on a single data source is risky: Zone files capture a snapshot of registered domains but may miss subdomains or recently registered domains until the next refresh cycle. RDAP and real-time lookups help close this gap, but each data source has its own latency profile and governance constraints.
• Ignoring licensing and usage terms: Bulk domain data comes with licensing requirements. Using data beyond permitted terms can create legal exposure and complicate internal risk programs. Always confirm terms in advance.
• Underestimating update latency: A daily cadence may feel sufficient, but threat actors act in hours. Build alerting that accounts for delays and uses real-time or near-real-time signals where feasible.
• Not integrating data with risk workflows: Data without context (watchlists, risk scoring, and incident response playbooks) often ends up as noise. Integrate domain lists into a risk dashboard and tie signals to investigations and remediation actions.

Case in point: how .my, .no, and .cfd contexts shape data access

To illustrate, consider three real-world-sounding scenarios: a bulk list for a widely used country-code TLD (.my) and a geo-focused TLD (.no), as well as a newer, brand-aligned TLD such as .cfd. The data-access reality varies by registry policy. CZDS can provide a scalable route for gTLDs, but ccTLDs and brand/geo TLDs often require registry-specific data-sharing arrangements or licensing with specialized providers. In practice, security teams build a blended data plan: use CZDS-enabled zone files for broad coverage where available, pursue registry partnerships or licensed datasets for non-participating TLDs, and augment with targeted RDAP-based lookups to fill gaps. This approach ensures risk teams can monitor for impersonations and typosquatting across a broad swath of TLDs while remaining compliant with data-use restrictions.

Putting the data to work: integrating with NetzReporter and WebAtla capabilities

A mature risk program should weave external domain data into a broader brand-protection workflow. The NetztReporter framework emphasizes digital risk intelligence and brand protection, including phishing detection and threat monitoring. For practitioners seeking practical data sources and ready-to-use datasets, WebAtla hosts a comprehensive Active Domains dataset that is refreshed daily and designed for analytics, marketing intelligence, and threat detection workflows. This dataset can serve as a robust baseline against which your risk signals are validated and prioritized. See the Active Domains dataset and related resources for more details:

• Active Domains dataset
• For broader domain-data access and RDAP/Whois coverage, consider the WebAtla RDAP & WHOIS Database page as a complementary resource: RDAP & WHOIS Database
• Or browse the WebAtla TLDs index to explore domain distributions across extensions: TLDs directory

Integrating these data sources with your risk tooling allows you to automate domain-based detections, enrich alerts with registration context, and feed risk models with consistent, ready-to-analyze data streams. The combination of CZDS-backed bulk data, RDAP enrichment, and a trusted provider’s datasets offers a practical, defensible path to scale brand-protection programs without sacrificing analytical rigor.

Conclusion

Digital risk intelligence is most effective when you deploy a layered data strategy that respects licensing, keeps you current, and integrates smoothly into incident response workflows. Zone-file data via CZDS remains a cornerstone for bulk domain coverage of gTLDs, while RDAP enrichments provide timely, per-domain context that helps distinguish legitimate activity from threats. For teams that need a practical starting point and a scalable, compliant data backbone, pairing CZDS access with targeted enrichment and a reliable domain-data partner offers a balanced path forward. By aligning data access with governance and risk workflows, you can elevate your brand protection program from reactive alerts to proactive risk management - without breaking the bank or your compliance posture.