Building on Machine Learning in Our Protective DNS

Listen to this article instead

What is Malicious Domain Protection?

Malicious Domain Protection began at DNSFilter as a research project to assess whether some malicious domains can be detected by inspecting solely the domain string. This effort follows in a vein of academic research; a thorough review can be found in Harald Vranken and Hassan Alizadeh’s “Detection of DGA-generated domain names with TF-IDF”. Electronics, vol. 11, no. 3, 414, 2022. The basic premise is that some malware communicates with adversaries using domains created procedurally by domain-generation algorithms (DGA) to evade detection by security tools looking for domains known to be malicious. Typically, DGA domains are characterized by their completely random appearance, as if the user typed the domain accidentally while trying to clean up coffee spilled on a keyboard. (More sophisticated domain-generation algorithms used words, or parts of words, in a bid for inconspicuousness.)

The goal of Malicious Domain Protection is to inspect these domain strings and accurately assess their risk. While DGAs are a huge portion of what we’re able to assess with this new feature, it can go beyond DGA and may catch domains that fall into other threat vectors. 

This project is now available for all customers to implement under the “extra settings” tab when creating a policy.

Why focus on just the domain string?

Can the quality of the Malicious Domain Protection be improved if we include additional data elements besides the domain string?

Malicious Domain Protection has the most value when there is relatively little other information about a domain. As a protective DNS provider, we will sometimes see queries for which there are no DNS records; inferring the riskiness of these domains lets us evaluate whether we should block them before they’re even registered. While waiting for additional information (such as a DNS response or registration information) could provide more protection  for customers and context for our assessments, we assess that the corresponding delay is unfavorable.

That said, we are exploring how to incorporate the multimodal, heterogeneous DNS data and feed data into our risk assessments. DNS query data is incredibly rich, and at DNSFilter, we have a powerful data collection engine, supplemented by our third-party feed subscriptions. We intend to take full advantage of all of this data to protect our customers.

Are there any success stories about Malicious Domain Protection?

As a part of the Malicious Domain Protection pilot study, we monitored customers’ queries to domains that are malicious according to Malicious Domain Protection. On several occasions, we observed a very large number of high-risk queries and customer support reached out to those customers with the specific details of these queries. While we can’t speak to specifics, we did observe a precipitous drop in the number of high-risk queries that these customers made after we reached out and made them aware of this behavior; we attribute this to customers taking remedial action to stop the activities that lead to these queries.

In the testing phase, Malicious Domain Protection identified more than 7,000 risky domains not yet identified by any other feeds. Threats were identified up to 10 days ahead of other third-party feeds with one domain being caught 59 days ahead.

Implement Malicious Domain Protection by logging into the app and navigating to Policy → Advanced → Extra Settings.

DNS Filter Settings



  • There are no suggestions because the search field is empty.
Latest posts
An Interview With DNSFilter’s New CTO, TK Keanini An Interview With DNSFilter’s New CTO, TK Keanini

In exciting news, DNSFilter recently hired TK Keanini to fill the role of Chief Technology Officer (CTO). TK has over 30 years of experience in network security and most recently served as the Vice President of security architecture and CTO of Cisco Secure. In his new role, TK will lead product management, customer experience, engineering, and security intelligence toward ongoing innovation and growth, focusing on customer needs and feedback to d...

The Intersection of 5G, Public Wi-Fi, and Network Security: Who’s at Risk? The Intersection of 5G, Public Wi-Fi, and Network Security: Who’s at Risk?

The transition from 4G to 5G is revolutionizing the way we connect and communicate, promising unprecedented speed, capacity, and low latency. However, this evolution also brings its own set of challenges, particularly concerning network coverage and security.

Revving up the Fun: DNSFilter's IndyCar Experience Recap—Detroit Grand Prix Edition Revving up the Fun: DNSFilter's IndyCar Experience Recap—Detroit Grand Prix Edition

This past weekend, we had the incredible opportunity to host guests at the Detroit Grand Prix. With representatives from Trace3, Guidepoint, Connection, and Judy Security, the event brought together tech experts and channel professionals for an exhilarating experience.

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.