Building on Machine Learning in Our Protective DNS

What is Malicious Domain Protection?

Malicious Domain Protection began at DNSFilter as a research project to assess whether some malicious domains can be detected by inspecting solely the domain string. This effort follows in a vein of academic research; a thorough review can be found in Harald Vranken and Hassan Alizadeh’s “Detection of DGA-generated domain names with TF-IDF”. Electronics, vol. 11, no. 3, 414, 2022. The basic premise is that some malware communicates with adversaries using domains created procedurally by domain-generation algorithms (DGA) to evade detection by security tools looking for domains known to be malicious. Typically, DGA domains are characterized by their completely random appearance, as if the user typed the domain accidentally while trying to clean up coffee spilled on a keyboard. (More sophisticated domain-generation algorithms used words, or parts of words, in a bid for inconspicuousness.)

The goal of Malicious Domain Protection is to inspect these domain strings and accurately assess their risk. While DGAs are a huge portion of what we’re able to assess with this new feature, it can go beyond DGA and may catch domains that fall into other threat vectors. 

This project is now available for all customers to implement under the “extra settings” tab when creating a policy.

Why focus on just the domain string?

Can the quality of the Malicious Domain Protection be improved if we include additional data elements besides the domain string?

Malicious Domain Protection has the most value when there is relatively little other information about a domain. As a protective DNS provider, we will sometimes see queries for which there are no DNS records; inferring the riskiness of these domains lets us evaluate whether we should block them before they’re even registered. While waiting for additional information (such as a DNS response or registration information) could provide more protection  for customers and context for our assessments, we assess that the corresponding delay is unfavorable.

That said, we are exploring how to incorporate the multimodal, heterogeneous DNS data and feed data into our risk assessments. DNS query data is incredibly rich, and at DNSFilter, we have a powerful data collection engine, supplemented by our third-party feed subscriptions. We intend to take full advantage of all of this data to protect our customers.

Are there any success stories about Malicious Domain Protection?

As a part of the Malicious Domain Protection pilot study, we monitored customers’ queries to domains that are malicious according to Malicious Domain Protection. On several occasions, we observed a very large number of high-risk queries and customer support reached out to those customers with the specific details of these queries. While we can’t speak to specifics, we did observe a precipitous drop in the number of high-risk queries that these customers made after we reached out and made them aware of this behavior; we attribute this to customers taking remedial action to stop the activities that lead to these queries.

In the testing phase, Malicious Domain Protection identified more than 7,000 risky domains not yet identified by any other feeds. Threats were identified up to 10 days ahead of other third-party feeds with one domain being caught 59 days ahead.

Implement Malicious Domain Protection by logging into the app and navigating to Policy → Advanced → Extra Settings.