Table of Contents

    Domain Generation Algorithms (DGA)

    What Are Domain Generation Algorithms (DGA)?

    Domain Generation Algorithms (DGAs) are techniques used by malware to algorithmically create large numbers of domain names that can be used to connect to command-and-control (C2) servers. Rather than relying on a single, static domain that can be easily blocked, DGAs generate hundreds or even thousands of potential domains daily. If a system is infected, it will attempt to contact these domains—hoping one has been registered by the attacker to receive further instructions, updates, or payloads.

    This technique allows malware to remain resilient and stealthy, making detection and disruption significantly harder for traditional security tools.

    Domain Generation Algorithm Overview

    DGAs were introduced to help malware evade static defenses. Traditional malware often relied on hardcoded IP addresses or fixed domains to connect with its C2 infrastructure. Security teams could block these endpoints or take down the domains to disrupt communication.

    DGAs make this approach less effective. By algorithmically generating domain names on both the attacker’s and the infected system’s side, malware can attempt connections with a rotating list of domains. The attacker only needs to register one of those domains to re-establish control or deliver additional instructions.

    This method is common in botnets, ransomware, and advanced persistent threats (APTs), where long-term stealth and resilience are essential. To understand how DGAs support persistent command-and-control communication, see our breakdown of C2 server behavior and attack techniques.

    DGA-Based C2 Communication

    Types of DGAs

    DGAs vary in their logic and structure. Some are built for predictability between infected devices and the attacker, while others are designed purely for obfuscation. The most common types include:

    • Time-Based DGAs
      Domains are generated based on the system clock, often tied to the date or time. This allows attacker and victim systems to stay in sync without external coordination.

    • Seed-Based DGAs
      Use a shared input value—like a specific string or mathematical function—to produce domain names. These are predictable if the seed and algorithm are known.

    • Wordlist DGAs
      Combine words from dictionaries to form domain names that appear more legitimate (e.g., cloud-service-info.com). These can be harder to detect using pattern-based filtering.

    • Character-Based or Randomized DGAs
      Generate domains using random or pseudo-random character strings, often producing nonsensical results like xozekcj.biz. These are more obviously suspicious but difficult to track due to volume.

    Why Attackers Use DGAs

    Attackers turn to Domain Generation Algorithms because they offer flexibility, redundancy, and scale—allowing malware to rotate through thousands of domains to maintain contact with command-and-control servers. By design, DGAs are difficult to detect and disrupt because they constantly shift infrastructure. These techniques evade traditional security tools, pushing defenders to move beyond static blocklists and adopt adaptive, DNS-layer defenses. Common reasons threat actors use DGAs:

    • Evade static blocklists and domain sinkholing

    • Avoid dependency on infrastructure that can be easily blacklisted

    • Increase redundancy and resilience in case some domains are discovered and neutralized

    • Enable long-term persistence for malware, even after takedown attempts

    By continuously rotating domains, DGAs ensure that even if a portion of their infrastructure is blocked, some communication channels remain open.

    Effects of DGAs

    From a security perspective, DGAs significantly complicate detection and response efforts. Their use has several downstream effects:

    • Makes malware more difficult to detect and contain, especially in the early stages of infection

    • Increases DNS traffic noise, making it harder to distinguish legitimate from malicious activity

    • Enables ongoing command-and-control communication, allowing attackers to issue commands or extract data over time

    • Challenges traditional blocklist-based defenses, requiring more advanced anomaly detection models

    • Demands advanced DNS-layer security that can identify DGA-based patterns, flag anomalous queries, and prevent successful connections

    Without specialized detection, even well-monitored networks can miss active malware using DGAs. DNS filtering with machine learning-based DGA detection can stop these threats before a connection is ever established.

    DGA vs. Other Command-and-Control Techniques

    DGAs are one of several techniques used to maintain communication between malware and its operator. Here’s how they compare to others:

    Technique

    Description

    DGAs

    Focuses on the automated generation of new domains rather than reusing or hiding behind existing ones.

    Static Domains/IPs

    Simple, fixed infrastructure—easy to block and less flexible for attackers.

    Fast Flux

    Uses a static domain name but rapidly rotates associated IP addresses to evade blacklisting.

    Domain Shadowing

    Involves hijacking legitimate domains (often through compromised DNS accounts) to serve malicious purposes.


    Examples of DGAs

    DGA-based malware has been used in some of the most evasive and persistent threats observed in the wild. These examples show how attackers use domain generation to maintain long-term command-and-control communication, avoid takedowns, and outmaneuver traditional security tools.

    Real-World Examples

    • Conficker – One of the earliest known uses of a DGA. It generated 250 domains per day, forcing defenders to register and block massive domain lists to contain it.

    • Necurs – A prolific spam botnet that used DGA to distribute malware payloads and avoid takedown efforts.

    • Bebloh and CoreBot – Employed time-based DGA methods to generate synchronized domains across infected systems.

    • Emotet – Integrated DGA as a fallback mechanism for command-and-control if primary infrastructure was blocked.

    • Gameover Zeus and Kovter – Combined DGA with peer-to-peer communication and fast flux to resist detection and infrastructure disruption.

    For more on how DGAs played a role in high-profile threats, read our analysis of the Sunburst attack and DNS request patterns.

    Who Might Need DGA Protection?

    • Enterprise IT Teams – Need visibility into DNS traffic to detect hidden command-and-control channels.

    • Security Operations Centers (SOCs) – Monitor for DGA patterns as part of threat hunting and incident response.

    • Organizations targeted by APTs or malware campaigns – Require DNS filtering tools that detect algorithmically generated domain queries.

    Stop DGA-Based Malware at the DNS Layer

    DGAs are designed to evade detection—but they rely on domain lookups to function. DNSFilter’s AI-driven threat detection identifies and blocks DGA-generated domains in real time, cutting off malware communication before it begins.

    Protect your network from evasive threats with DGA-aware DNS-layer security.
    Explore DNSFilter’s Malicious Domain Protection →