The Domain Name System (DNS) is highly dynamic, and changes to it are continually taking place. For example, new base domain names get registered and used for the first time, new resource records (and new resource record types such as MX, PTR, AAAA) get created within those base domains, and resource records get set to new values. A single domain can have up to 100 resource records returned at once. Historically, all of those changes were largely overlooked in the flood of DNS traffic available to security analysts and DNS researchers from DNS-data sharing sites until now. In this presentation, Dr. Paul Vixie will discuss a ground-breaking approach that tames this information fire hose - the creation of two winnowed, real-time data streams, one consisting of newly-observed fully-qualified domain names, and another of DNS changes. These new streams make it easy to identify numerous security-relevant DNS changes. For example, if a prominent web server is subject to a DNS poisoning attack or its name servers are changed without authorization at the registrar, that hijacked web server will show up in these streams as having experienced a "DNS change." Spam sites that formerly used DNS wildcarding in an attempt to "fly under the radar" are now easily identified, since each of their new pseudo-random Fully Qualified Domain Names (FQDN)s gets tagged as being new. Similarly, operators of fast flux or double fast flux networks can no longer hide. Dr. Vixie will provide practical examples of how this innovative new approach will allow for more timely and effective approaches to combating malicious Internet behavior, including significantly improving brand protection and anti-phishing controls, and increasing situational awareness. He will also discuss limitations associated with this approach, including filtering choices, and limitations to the paradigm and his talk will include a demo with Q&A.;