Malicious Domain Protection
Stop threats 10 days faster
Detect unknown domains used by threats such as malware, botnets, and more.
How it works
Malicious Domain Protection uses machine learning to analyze DNS queries to assess whether they are likely to be associated with a malicious host.
By analyzing the DNS query, attempted connections to likely malicious domains are blocked, providing a first-line defense to protect users and corporate networks.
Enabling malicious domain protection is simple
Watch the video to see how easy it is to setup and configure a policy to block threats using Malicious Domain Protection.
See DNSFilter in action
Don't just take our word for it. Book a personalized demo and see how easy it is to stop threats with DNSFilter.
Training the machine learning model
To train a machine learning classifier, training data is needed. DNSFilter's data scientists had access to the world's fastest Dual-Anycast resolvers that process over 89 billion DNS queries daily for over 30 million users.
Over 35 million daily DNS queries are identified as threats and blocked, before they ever resolve to a client machine. Malicious Domain Protection's classifier was trained and fine-tuned using over 16 million queries, a mix of both known good and known bad domains contributing to a highly accurate machine learning model.
More threats and faster detection
During testing, Malicious Domain Protection detected 7,000 risky domains that were not yet identified by any threat intelligence feeds. Threats were identified up to 10 days ahead of third-party threat feeds, with one domain being caught 59 days ahead.
The threats we face
Unknown malicious domains seen in the wild can be used with malware, botnets, phishing attacks or command-and-control servers.
Attackers use the period before their domain is discovered to launch attacks that go undetected by firewalls, IDS, and other threat detections that rely on threat feeds or other information.
Some malware families algorithmically generate upwards of 250,000 unique domains. Also known as DGAs, these domains are often the first signs of malware, spambots, phishing, and cryptojacking, and more.