Malicious Domain Protection: Building on Machine Learning in Our Protective DNS

What is Malicious Domain Protection?

Malicious Domain Protection began at DNSFilter as a research project to assess whether some malicious domains can be detected by inspecting solely the domain string. This effort follows in a vein of academic research; a thorough review can be found in Harald Vranken and Hassan Alizadeh’s “Detection of DGA-generated domain names with TF-IDF”. Electronics, vol. 11, no. 3, 414, 2022. The basic premise is that some malware communicates with adversaries using domains created procedurally by domain-generation algorithms (DGA) to evade detection by security tools looking for domains known to be malicious. Typically, DGA domains are characterized by their completely random appearance, as if the user typed the domain accidentally while trying to clean up coffee spilled on a keyboard. (More sophisticated domain-generation algorithms used words, or parts of words, in a bid for inconspicuousness.)

The goal of Malicious Domain Protection is to inspect these domain strings and accurately assess their risk. While DGAs are a huge portion of what we’re able to assess with this new feature, it can go beyond DGA and may catch domains that fall into other threat vectors. 

This project is now available for all customers to implement under the “extra settings” tab when creating a policy.

Why focus on just the domain string?

Can the quality of the Malicious Domain Protection be improved if we include additional data elements besides the domain string?

Malicious Domain Protection has the most value when there is relatively little other information about a domain. As a protective DNS provider, we will sometimes see queries for which there are no DNS records; inferring the riskiness of these domains lets us evaluate whether we should block them before they’re even registered. While waiting for additional information (such as a DNS response or registration information) could provide more protection  for customers and context for our assessments, we assess that the corresponding delay is unfavorable.

That said, we are exploring how to incorporate the multimodal, heterogeneous DNS data and feed data into our risk assessments. DNS query data is incredibly rich, and at DNSFilter, we have a powerful data collection engine, supplemented by our third-party feed subscriptions. We intend to take full advantage of all of this data to protect our customers.

Are there any success stories about Malicious Domain Protection?

As a part of the Malicious Domain Protection pilot study, we monitored customers’ queries to domains that are malicious according to Malicious Domain Protection. On several occasions, we observed a very large number of high-risk queries and customer support reached out to those customers with the specific details of these queries. While we can’t speak to specifics, we did observe a precipitous drop in the number of high-risk queries that these customers made after we reached out and made them aware of this behavior; we attribute this to customers taking remedial action to stop the activities that lead to these queries.

In the testing phase, Malicious Domain Protection identified more than 7,000 risky domains not yet identified by any other feeds. Threats were identified up to 10 days ahead of other third-party feeds with one domain being caught 59 days ahead.

Implement Malicious Domain Protection by logging into the app and navigating to Policy → Advanced → Extra Settings.



  • There are no suggestions because the search field is empty.
Latest posts
Migrating from Cisco Umbrella to DNSFilter: It Pays to Make the Switch Migrating from Cisco Umbrella to DNSFilter: It Pays to Make the Switch

Navigating the complexities of cybersecurity challenges today means more than just being alert; it requires a readiness to adapt and embrace superior technologies for better protection of your digital assets. The recent announcement of Cisco Umbrella Roaming Clients end-of-life (EOL) on April 2, 2024, and its end-of-support (EOS) on April 2, 2025, has encouraged several organizations to consider the next steps in maintaining robust cybersecurity ...

Zero-Day Attacks: What Are They? Zero-Day Attacks: What Are They?

The term “zero-day attacks” is thrown around frequently with a lot of concern—and rightfully so. In today’s world where even the most menial tasks are conducted online, there is always some cyber threat lurking in the dark shadows of the internet. Picture this: A burglar finds a secret doorway to your house and decides to pay you a visit. All your assets are now accessible to him, even without your knowledge.

Mid-Winter Nights Hallucinations: Some Thoughts on Our New GenAI Category Mid-Winter Nights Hallucinations: Some Thoughts on Our New GenAI Category

AI, LLM, generative content, NLP, big data, neural processing, machine learning, GPT. In 2023 it's undeniable that these were some of the most heard terms from various businesses, news outlets and the social media sphere. Ultimately this alphabet soup can mean just as much as it sometimes doesn’t—and, as often is the case, the internet leans into the trend.Sites popped up everywhere—some reputable while others less so—promising cyberpunk profile ...

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.