Key Findings
- Publicly rentable subdomain providers, also known as “Dynamic DNS providers,” can be benign, but they are also frequently exploited by threat actors who take advantage of lower-quality, temporary hosting arrangements.
- Services that rent these subdomains are increasingly used for malicious purposes, as they may circumvent regulations with lax registration, operational practices, and often ignore takedown requests.
- Silent Push has created a set of data export reports that monitor more than 70,000 domains renting subdomains to help enterprise organizations more closely monitor and alert—or block outright—the connections to these hosts, based on their risk tolerance.
Executive Summary
New research developed by Silent Push Threat Analysts has been compiled into a set of exclusive exports, enabling organizations to track approximately 70,000 domains that rent subdomains, also referred to as “Dynamic DNS” providers.
These types of web hosts can be of concern because they allow anyone—malicious or otherwise—to register subdomains and host their own content on them. Typically, DNS records are also automatically managed by the service that rents the subdomains, though this is not the case with all publicly rentable subdomains.
Our enterprise customers have exclusive access to the set of data exports designed to address threat actor usage of this type of infrastructure for hosting and launching attacks.
Table of contents
- Key Findings
- Executive Summary
- Interested in Updates on this Growing Threat?
- Background
- Tracking: A Complex Process
- Sourcing Data from Different Queries
- Threat Actors Abusing Publicly Rentable Domains / Dynamic DNS Services
- Publicly Rentable Domains Mitigation
- Learn More About Dynamic DNS Providers
- Continuing to Monitor Publicly Rentable Domains
Interested in Updates on this Growing Threat?
Follow the Silent Push threat intelligence team on LinkedIn and X/Twitter for our latest research findings.
Background
Publicly rentable subdomain providers (also known as “Dynamic DNS” providers) come in many shapes and sizes. These providers essentially offer subdomains for rent, sometimes operating as an individual, as with many of the tens of thousands of afraid[.]org personal dynamic DNS providers, or at other times renting subdomains from a larger company like with us[.]com and it[.]com.
Enterprise companies such as Google and Cloudflare offer some publicly rentable subdomains, but the vast majority are managed by individuals and largely unknown organizations.
Renting Subdomains
There are a few different types of these domain rental services available when renting a subdomain:
- No Hosting Control, Some Content Control: DNS A record (IP address) cannot be set, and some content is set by the provider (e.g., Blogspot, even though there are ways to hide the default content).
- No Hosting Control, Full Content Control: DNS A record (IP address) cannot be set, content can be set freely (pages[.]dev, for example)
- Full Hosting Control, Full Content Control: DNS A record and content can be set freely; these features are often available under “paid” plans at these providers. One example that has these features is afraid[.]org.
The lack of complete control for a given host, at first glance, could appear as a weakness of this type of infrastructure; however, that couldn’t be further from the truth. These services are effectively operating as “mini domain registrars” without nearly the same amount of attention or oversight that legitimate domain registrars face.
Dangerous and Deserving of Attention
These hosts can be dangerous for several reasons:
- As mentioned earlier, many threat actors abuse these services. A list of high-profile examples of threat actor abuse of these services is included in a separate section towards the end of this blog.
- Many Dynamic DNS platforms, such as afraid[.]org, have abuse reporting channels; however, no organizations publicly track the takedown response times for these providers. This ensures that bad providers who don’t respond to abuse complaints end up hiding for far too long.
- Many of these providers accept cryptocurrency payment methods, such as Bitcoin, and openly advertise that they never need to share credentials or provide “Know Your Customer” details.
Numerous domain registrars offer similar anonymous purchasing features. However, domain registrars must be registered through various ICANN and IANA processes. In contrast, Dynamic DNS providers simply need to purchase a domain and set up their own routing and purchasing infrastructure. This allows them to operate with far less red tape and regulation.
- Services that rent subdomains can sometimes end up on enterprise benign lists, so it’s essential to track these threats with the full picture of context available. It’s also common for employees to request access to specific web content, which may be blocked by default. Defenders need to be cautious about allowing connections to particular subdomains while also being wary of granting blanket access to a full apex domain when it’s hosted on a service that rents subdomains, as attacker infrastructure could inadvertently be allowed through.
- When a threat actor controls a subdomain on a service that doesn’t respond to abuse complaints, that infrastructure becomes highly attractive for use as part of command and control (C2) communications and other dangerous network flows.
Even though cybersecurity companies may be aware of a malicious subdomain, report it, and post it on numerous public systems and lists, a given subdomain could still remain active due to the lack of strong remediation options.
In contrast, when a similar situation occurs with normal domains, both the domain registrar and the domain host can be contacted to disrupt a malicious website, providing twice as many options to get something potentially malicious taken offline.
Tracking: A Complex Process
Tracking subdomain rental schemes and Dynamic DNS providers is a complicated process.
Many of these subdomain rental hosts can be found on the “Public Suffix List” (PSL), which is publicly maintained in the “Begin Private Domains” section. This list includes enterprise services such as Blogspot[.]com from Google and pages[.]dev from Cloudflare, as well as many more similar services that rent subdomains.
The PSL does not, however, include the vast majority of lower-quality hosts who rent subdomains, and it does not allow third-party submissions to its list. As a result, specific hosts that rent subdomains and/or provide Dynamic DNS services will most likely never end up on the PSL and therefore must be tracked separately.
Our research team has devoted significant effort to ensuring we track all hosts utilizing these subdomain rental schemes and monitor them in real-time for newly appearing domains.
For instance, the Dynamic DNS provider, afraid[.]org, has tens of thousands of domains renting subdomains – the oldest being approximately 25 years old, with a steady influx of new domains every month. To make this host even more complex, afraid[.]org only lists some of these publicly – the others are known as “stealth” domains and can only be tracked via NameServer records.
Sourcing Data from Different Queries
Our threat team currently sources data for this special Dynamic DNS export from a mix of queries, enhancing and empowering publicly available information with the deep context and insights offered by our own first-party data. This includes:
- The Public Suffix List (publicsuffix[.]org), specifically the “Private Domains” sub-list. The PSL primarily includes enterprise domains, which have a greater potential to generate false positives than the lower-quality dynamic DNS providers. This is part of why we track those Dynamic DNS providers and the domains found on the PSL separately, for organizations to manage their risk tolerance accordingly.
- Afraid[.]org – with tens of thousands of sites scraped from its website and further tracked via NameServer (NS) records – tracking this infrastructure helps identify the “Non-Shared: Stealth” websites it advertises using its network, which aren’t listed publicly.
- PADNS lookups for related NS records can be performed in our platform, such as the following example:
- PADNS lookups for related NS records can be performed in our platform, such as the following example:
Silent Push Community Edition NameServer DNS search for afraid[.]org query link
![Web Scanner explore edition using nameserver dns search of afraid[.]org](https://www.silentpush.com/wp-content/uploads/ddns-image-1-web-scanner-explore.png)
![Screenshot of Freedns site search of afraid[.]org](https://www.silentpush.com/wp-content/uploads/ddns-image-2-freedns-afraid-org.png)
- Other major DDNS providers, including:
- ChangeIP (changeip[.]com)
- CloudDNS (cloudns[.]net)
- DNSexit (dnsexit[.]com)
- DuckDNS (duckdns[.]org)
- DuiaDNS (duiadns[.]net)
- DynDNS (dyn[.]com)
- Dynu (dynu[.]com)
- NowDNS (now-dns[.]com)
- YDNS (ydns[.]io)
- NoIP (noip[.]com)
- Silent Push is also tracking several domains associated with a small Dynamic DNS provider called “AttractSoft,” which has been used in attacks targeting Ukraine and for which we were able to create a specific fingerprint available to our enterprise customers via our customer-only reporting.
Threat Actors Abusing Publicly Rentable Domains / Dynamic DNS Services
There are extensive examples of serious threat actors using publicly rentable domains / Dynamic DNS domain services in their attacks. A few of the more high-profile of these include:
- Gamaredon has previously been observed using Dynamic DNS domains, as highlighted in our client-exclusive May 2025 Enterprise report and our earlier blog.
- Scattered Spider used a publicly rentable domain in a January 2025 campaign, as detailed in our client-exclusive March 2025 Enterprise report and April 2025 blog.
- In 2025, TA406 was using a Dynamic DNS provider from mygamesonline[.]org in attacks targeting entities in Ukraine.
- APT28 (Fancy Bear) was noted in a 2024 FBI report to have heavily used Dynamic DNS domains.
- DarkComet Malware was reported by Hyas in August 2024 to be heavily deployed into Dynamic DNS Domains.
- APT33 was cited as using custom domains as well as Dynamic DNS domains in a September 2023 report from Booz Allen.
- Security researcher “Gi7w0rm” demonstrated in a September 2023 report that the DDGroup threat actor heavily utilized Dynamic DNS domains for C2 communications.
- In 2022, Google Mandiant reported that APT29 was exclusively using Dynamic DNS domains for their QUIETEXIT C2 domains.
- APT Group Gallium was documented in 2022 by Palo Alto Networks using Dynamic DNS domains.
- In 2019, Chinese APT10 was seen using Dynamic DNS Domains by Rewterz.
- In 2014, Microsoft led efforts to take over some of the No-IP Dynamic DNS domains that were heavily used in ongoing attacks.
Publicly Rentable Domains Mitigation
Silent Push believes many publicly rentable domains and subdomains present a significant level of risk. Proactive measures are essential to defend against these potential, growing threats.
Our threat team created a set of Bulk Data Exports for all domains we’re tracking that rent subdomains and provide Dynamic DNS (DDNS) services. Enterprise clients are advised to set alerts on connections to any subdomains of these domains, and for some organizations, to block all connections.
Silent Push Indicators Of Future Attack™ (IOFA™) Feeds are available as part of an Enterprise subscription. Enterprise users can ingest this data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Learn More About Dynamic DNS Providers
Our enterprise customers have access to the set of reports we compiled for this campaign. If you would like to learn more about our capabilities for tracking Dynamic DNS providers—or how you can hunt for them yourself on our platform—we encourage you/your organization to reach out to our team for a demonstration.
Connect with our platform experts for an overview of the Enterprise Edition platform. We can provide a tailored walkthrough for your specific use case, along with insights into integrations and API capabilities.
Continuing to Monitor Publicly Rentable Domains
We know that publicly rentable domains / Dynamic DNS providers aren’t going away anytime soon. They have existed for decades and continue to gain in popularity among threat actors.
Contributing to this rise is a growing business sector that hosts these subdomain rental schemes. Outside of the enterprise solutions, many are often either owned by shell companies, companies with a clear record of ignoring abuse, or by threat actors who share no details about themselves or any corporate entities. There are far more malicious efforts than benign ones. Some enterprise solutions are known to be heavily exploited by serious threat actors.
Our threat team recommends that enterprise organizations treat all publicly rentable domains and Dynamic DNS providers with caution, given the potentially significant threats they can pose.
For some organizations, connections to these domains may need to be blocked outright unless a user manually requests a narrow exclusion. For others, alerting may suffice. Every organization is likely to handle these types of domains and providers in different ways and should adjust based on its own tolerance of risk.
When defenders encounter a domain that has subdomains for rent, we advise them to always keep in mind that while one subdomain may be benign, another could be malicious. As we have covered, the diversity of content available from these providers creates unique defensive challenges. This is the core reason behind the creation of the export files we created for our enterprise customers.
Silent Push will continue to monitor services that allow subdomain rentals and report on new findings and observations throughout 2025. We greatly appreciate being directed to any additional repositories of publicly rentable domains or dynamic DNS providers, as well as any services that may not currently be tracked that an organization, researcher, or other individual feels should be flagged for our team.
