Domain Generation Algorithms (DGAs) are techniques used by malware to algorithmically create large numbers of domain names that can be used to connect to command-and-control (C2) servers. Rather than relying on a single, static domain that can be easily blocked, DGAs generate hundreds or even thousands of potential domains daily. If a system is infected, it will attempt to contact these domains—hoping one has been registered by the attacker to receive further instructions, updates, or payloads.
This technique allows malware to remain resilient and stealthy, making detection and disruption significantly harder for traditional security tools.
DGAs were introduced to help malware evade static defenses. Traditional malware often relied on hardcoded IP addresses or fixed domains to connect with its C2 infrastructure. Security teams could block these endpoints or take down the domains to disrupt communication.
DGAs make this approach less effective. By algorithmically generating domain names on both the attacker’s and the infected system’s side, malware can attempt connections with a rotating list of domains. The attacker only needs to register one of those domains to re-establish control or deliver additional instructions.
This method is common in botnets, ransomware, and advanced persistent threats (APTs), where long-term stealth and resilience are essential. To understand how DGAs support persistent command-and-control communication, see our breakdown of C2 server behavior and attack techniques.
DGAs vary in their logic and structure. Some are built for predictability between infected devices and the attacker, while others are designed purely for obfuscation. The most common types include:
Attackers turn to Domain Generation Algorithms because they offer flexibility, redundancy, and scale—allowing malware to rotate through thousands of domains to maintain contact with command-and-control servers. By design, DGAs are difficult to detect and disrupt because they constantly shift infrastructure. These techniques evade traditional security tools, pushing defenders to move beyond static blocklists and adopt adaptive, DNS-layer defenses. Common reasons threat actors use DGAs:
By continuously rotating domains, DGAs ensure that even if a portion of their infrastructure is blocked, some communication channels remain open.
From a security perspective, DGAs significantly complicate detection and response efforts. Their use has several downstream effects:
Without specialized detection, even well-monitored networks can miss active malware using DGAs. DNS filtering with machine learning-based DGA detection can stop these threats before a connection is ever established.
DGAs are one of several techniques used to maintain communication between malware and its operator. Here’s how they compare to others:
|
Technique |
Description |
|
DGAs |
Focuses on the automated generation of new domains rather than reusing or hiding behind existing ones. |
|
Static Domains/IPs |
Simple, fixed infrastructure—easy to block and less flexible for attackers. |
|
Fast Flux |
Uses a static domain name but rapidly rotates associated IP addresses to evade blacklisting. |
|
Domain Shadowing |
Involves hijacking legitimate domains (often through compromised DNS accounts) to serve malicious purposes. |
DGA-based malware has been used in some of the most evasive and persistent threats observed in the wild. These examples show how attackers use domain generation to maintain long-term command-and-control communication, avoid takedowns, and outmaneuver traditional security tools.
For more on how DGAs played a role in high-profile threats, read our analysis of the Sunburst attack and DNS request patterns.
DGAs are designed to evade detection—but they rely on domain lookups to function. DNSFilter’s AI-driven threat detection identifies and blocks DGA-generated domains in real time, cutting off malware communication before it begins.
Protect your network from evasive threats with DGA-aware DNS-layer security.
Explore DNSFilter’s Malicious Domain Protection →