Techniques for discovering and selecting candidates for sinkholing of network domains are provided. In some embodiments, a process for discovering and selecting candidates for sinkholing of network domains includes collecting passive DNS data from a plurality of security devices to discover candidates for sinkholing of domain names; selecting one or more domain names that are most commonly queried by distinct client devices based on the passive DNS data, wherein each of the one or more domain names is not yet registered; and automatically registering each of the one or more domain names with a domain registry to a sinkholed IP address in order to sinkhole each of the one or more domain names.