Module 8 · Lesson 8
Future Trends and Considerations
⏱ 12 min
Another gTLD application round is coming. .brand extensions are changing the trust model. AI-generated lookalike domains are scaling the attack surface. Decentralized DNS breaks enforcement entirely. Here's the honest assessment.
Future Trends and Considerations
The honest framing: most of what's coming makes brand protection harder, not easier. Some of the changes are incremental. One of them, decentralized DNS, represents a qualitative shift in what enforcement even means.
Another gTLD Application Round
ICANN's New gTLD Subsequent Procedures program has been years in the making. The next application window is expected to open in the mid-2020s, with details still being finalized as of this writing.
What this means for brands: more TLDs. The second round will likely add hundreds of new extensions. The monitoring surface expands again. Brands that built their defensive strategy around the first-round TLDs will need to run the same evaluation process for each new extension that gets delegated.
The mechanics will be similar to the first round: TMCH-eligible marks will have Sunrise priority, URS will apply, UDRP will cover the new extensions. The practical lesson from the first round is to be ready before the launch calendar fills up. Track the ICANN new gTLD progress page, maintain your TMCH enrollment, and have a documented decision framework for which new TLDs to register defensively, so you're not making those decisions under time pressure during a Sunrise period.
The positive case: some second-round TLDs may be highly specific industry or geographic extensions where registration makes obvious sense for brands in that space. If .legal or .automotive or .finance launches and you operate in those sectors, the Tier 2 calculation from Lesson 05 applies immediately.
.brand Extensions: A Different Trust Model
Companies like Google (.google), Amazon (.amazon), Barclays (.barclays), and several hundred others now operate their own closed TLDs under the .brand model. Only the brand itself can register domains in its .brand TLD. maps.google and careers.amazon resolve because those companies control the registry.
This has interesting implications for brand protection:
For .brand operators: If you operate .yourbrand, you've effectively removed that entire namespace from the squatting risk. Nobody else can register phishing.yourbrand because you control every registration. It's the most complete defensive measure possible, and it costs roughly $25,000-50,000 in ICANN fees for the initial application, plus ongoing registry operation costs. Viable for large enterprises; not relevant for most.
For everyone else: The existence of verified .brand extensions creates a consumer trust signal. When customers learn that careers.amazon is definitely Amazon and careers.amazon-support.com is suspicious by definition, they're getting more sophisticated about evaluating domain authenticity. This is a slow, long-term shift, but it's in the right direction.
The darker implication: as .brand verification builds consumer confidence in the .brand model, attackers will start exploiting the gap, building phishing campaigns that mimic the .brand aesthetic while using a completely different namespace. "Go to careers.amazon-jobs.com to apply" is more convincing once people expect .amazon to be authentic.
AI-Generated Domain Abuse
This is the trend that concerns me most from the monitoring perspective.
For most of internet history, typosquatting and lookalike domain creation was relatively manual. Someone had to think up the variations, register them, build the sites. The production cost created a natural limit on scale.
Machine learning removes that limit. A model trained on a brand's web presence can generate hundreds of plausible lookalike domains, similar but distinct strings, homograph variations, compound strings combining brand name with service keywords, in minutes. Registration is cheap. The bottleneck is no longer ideation or effort; it's the cost of registration.
At X-RAY, we're already seeing evidence of ML-assisted domain abuse campaigns: coordinated registrations across multiple TLDs in short windows, with domain strings that show clear optimization against known brand-monitoring heuristics (strings designed to not exact-match brand alerts but still be recognizable to targeted customers).
The detection response is the same ML arms race you see in spam filtering. Monitoring systems have to get smarter, looking at registration patterns, registrant fingerprints, DNS behavior anomalies, and certificate transparency data, not just string matching.
The practical implication for brand managers: don't rely on exact-match monitoring alone. If your monitoring alerts on yourbrand.phishingtld, that's good, but the sophisticated attacks won't use your exact brand string. They'll use yourbrand-support.tld or yourbrand-secure.tld or Unicode strings that render similarly. Your monitoring vendor should be doing substring and fuzzy-matching, not just exact-match.
Decentralized DNS: The Enforcement Gap
This deserves direct treatment because the indirect answers I've heard at conferences are not useful.
Handshake (HNS), Ethereum Name Service (ENS), Unstoppable Domains, these are alternative naming systems that operate outside the ICANN root zone. A Handshake name isn't registered with any ICANN-accredited registrar. There's no registrar abuse contact. There's no URS provider. There's no UDRP process. The registration is an entry on a blockchain.
If someone registers your brand name in Handshake and uses it for phishing, your enforcement options are: blockchain-level (which means you need to convince the network or the wallet software providers to block the name, which is not a reliable path), civil litigation (which requires identifying the registrant, which is harder without WHOIS requirements), or wait for the platform ecosystem to take action.
The honest answer: you largely lose the enforcement tools you have in ICANN-governed DNS. UDRP doesn't exist there. Registrar abuse contacts don't exist there. The normal first-response options simply aren't available.
The mitigating factor: decentralized DNS systems have limited consumer reach. Almost no mainstream users navigate via Handshake or ENS names directly, the resolver infrastructure isn't built into standard browsers by default. The attack surface in practical terms is currently small.
But the trend line is toward broader adoption. Some browsers are adding support. Wallet integrations are growing. If decentralized DNS gains mainstream traction, the enforcement gap becomes a material problem, and the industry doesn't have a consensus answer yet.
Regulatory Changes
On the positive side for brand protection, regulatory pressure on WHOIS data accuracy is increasing.
The GDPR-driven redaction of WHOIS data has made attribution harder since 2018, registrant contact details are largely hidden behind privacy services or redacted entirely for EU registrants. This is legitimate from a privacy standpoint and inconvenient from a brand enforcement standpoint.
The counter-pressure: ICANN's Registration Data Access Protocol (RDAP) is being implemented as the WHOIS replacement, with more structured data and better mechanisms for legitimate access requests by IP holders. The EU's NIS2 directive includes provisions that push back toward WHOIS accuracy requirements for security purposes. How this resolves is still in motion.
For brand protection, the practical hope is that the RDAP rollout eventually enables faster, more reliable access to registrant data for parties with legitimate enforcement need, without fully reverting to the pre-GDPR public exposure model.
Key Takeaways
- The next gTLD application round will expand the namespace further. Monitor ICANN's timeline, maintain TMCH enrollment, and have your Tier 2 evaluation framework ready.
- .brand extensions offer the most complete brand protection in those namespaces, but at significant cost. Mainly relevant for large enterprises.
- AI-generated domain abuse is scaling the attack surface beyond what string-based monitoring handles. Fuzzy matching, behavioral analysis, and certificate transparency monitoring are becoming necessary.
- Decentralized DNS breaks UDRP and registrar-based enforcement entirely. Current consumer reach is limited, but the trend is toward growth.
- RDAP and NIS2 create some regulatory pressure back toward WHOIS accuracy. The balance between privacy and enforcement accountability is still being negotiated.
Further Reading
- ICANN new gTLD subsequent procedures: newgtlds.icann.org/en/applicants/ldn/subsequent-procedures
- IANA .brand registry list: iana.org/domains/root/db (filter for single-registrant/brand TLDs)
- Handshake naming overview: handshake.org
- ICANN RDAP documentation: icann.org/rdap
Up Next
Lesson 09: The conclusion. After 20 years in this industry, what the expanded namespace actually means for brands, and what a sensible long-term position looks like.