Skip to content

Core concepts

This page explains the core concepts and matching algorithms that power Iris Detect. Understanding these concepts helps you create effective monitors and interpret results.

Key concepts

Monitors

Lists of domains that Iris Detect updates in near real-time based on your search terms and fuzzy matching techniques. Monitors track domains that match your specified keywords and patterns.

Watchlist

A collection of domains you actively monitor for infrastructure changes. When you add a domain to the watchlist, Iris Detect tracks changes to its IP address, nameservers, registrar, and other infrastructure.

Domain Risk Score

DomainTools' proprietary calculation that assesses the risk level of a domain based on multiple factors including registration patterns, infrastructure, and behavioral indicators.

Learn more: Risk Score user guide

Domain groups

Iris Detect organizes domains into categories based on their status and lifecycle:

Group Description When domains appear
New Domains that passive DNS newly detected in their current lifecycle Iris Detect populates this list as it discovers domains in near real-time
Watched Domains you add to the monitor's watchlist When you manually add domains to watch. Moves to Changed when infrastructure changes occur
Changed Watched domains that experience infrastructure changes When watched domains experience infrastructure changes in the last 3 days (default timeframe, adjustable in Settings)
Inactive Domains you watch that DNS has not observed recently When watched domains have not been observed in DNS for the last 10 days
Previous Domains that fit the monitor's criteria and were active before monitor creation Domains matching criteria that existed before you created the monitor
Escalated Domains escalated to Google Web Risk When you escalate domains for review or blocking
Ignored Domains marked to be ignored When you manually mark domains to ignore

Escalation

The process of flagging domains as malicious and optionally submitting them to Google Web Risk (https://cloud.google.com/security/products/web-risk?hl=en) for broader protection.

How domain matching works

Iris Detect uses advanced matching algorithms to find domain variations and spoofs. Understanding these techniques helps you configure monitors effectively and interpret search results. All examples use the hypothetical monitor term domaintools.

Match Variations setting

The Match Variations setting is a key configuration option that controls how aggressively Iris Detect searches for domain variations. Understanding when to enable this option depends on the structure of the domain you monitor:

Single-term domains

When you monitor a single-term domain (such as domaintools.com), exact substring matching works without Match Variations. For example:

  • Monitoring domaintools finds domaintools.com and hr-domaintools.com (exact substring)
  • It also finds the spoof domaintoois.com (missing 'l') through fuzzy matching

Multi-term domains

When you monitor a multi-term domain (such as domaintoolsglobalservices.com):

  • If the monitored term is an exact substring of the multi-term domain, Iris Detect discovers it without Match Variations. For example, monitoring domaintools finds hr-domaintools.com
  • However, if the term is not an exact substring, you need to enable Match Variations to include fuzzing algorithms. For example, monitoring domaintools only finds the spoof domaintoolglobalservices.com (with character removal of 's') when you enable Match Variations

Practical example with examplecorp

  • Without Match Variations: Matches examplecorp.com (exact substring) but not account-examp1ecorp.com (variation with "1" substitution)
  • With Match Variations: Matches both examplecorp.com and account-examp1ecorp.com (variation is a substring)

Match Variations is not recommended for terms of 6 characters or less, as it can create many false positives.

Matching algorithm types

Iris Detect applies different matching algorithms based on your search terms and configuration:

Exact matching

Exact matching is the most basic matching and Iris Detect applies it to all terms. It finds:

  • domaintools.cn
  • account-domaintools.com

Full domain matches

Full domain matches perform exact matching across the entire domain name for all terms. Examples include:

  • account-domain.tools
  • account-domain.tools.com

Fuzzy matching

Iris Detect applies fuzzy matching to terms length 5 and greater. Fuzzy matching differs from variation matching. It finds close matches that variation matching does not otherwise pick up, when there is a single character difference in the domain portion (that is, the second-level domain; for example, domaintools in domaintools.com) of the domain name compared to the term. Examples include:

  • domain2ools.com
  • domainetools.com

Internationalized Domain Name matching

Internationalized Domain Name matching matches domains using Unicode variations of a domain that appear within a domain. Iris Detect applies this to all terms. Examples include:

  • domåintools.com
  • account-domåintools.com

Variation matching

Iris Detect applies variation exact matches to terms length 4 and greater. It creates specific variations of the term based on algorithms including:

  • Affixes: Append country code TLDs, gTLDs, and common phishing affixes
  • Character Flips: Identify terms with bits/characters flipped to other keyboard characters
  • Character Swaps: Identify terms with swapped adjacent characters
  • Character Substitutions: Substitute ascii and/or unicode lookalike characters (leetspeak)
  • Duplicate Character Reductions: Replace consecutive duplicate characters with a single character
  • Duplicate Characters: Identify duplicate characters
  • Homoglyphs: Identify domains registered using international character sets
  • Homophones: Use common misspellings for words that sound similar
  • Hyphen Addition/Removals: Add a single hyphen or remove existing hyphens
  • Miskeyed Replacements/Additions: Swap characters with nearby keyboard characters
  • Prefix + Suffix combinations: Append and prepend common prefix and suffix combinations
  • Prefixes: Add common prefixes to your term
  • Single Character Removals: Remove a single character
  • Substrings: Return results that have the term as a substring of the domain
  • Suffixes: Affix common domain suffixes to your term

For detailed examples of each algorithm type, see the Reference: Matching algorithm details.

Variation substring matches

Variation substring matches is a configurable option (you enable it via the Match Variations setting). It matches the variations that the above algorithms create as substrings that appear within domain names. For shorter terms, this can generate a large number of false positives.

When you monitor single-term domains like domaintools.com:

  • Without Match Variations: Iris Detect finds exact substrings like hr-domaintools.com
  • With Match Variations: Iris Detect also finds variation substrings like hr-domaintoois.com (missing 'l') or domaintools-secure.com

When you monitor multi-term domains like domaintoolsglobalservices.com:

  • Without Match Variations: Iris Detect finds domains where your term is an exact substring (e.g., hr-domaintools.com)
  • With Match Variations: Iris Detect also finds domains where variations of your term appear as substrings in multi-term combinations (e.g., domaintoolglobalservices.com with character removal of 's')