DNSFilter Report Finds New Domains Surpassed Malware as Top Threat Type in Q1

Analysis finds highest-ever quarterly block rate for total DNS traffic

WASHINGTON, D.C. – April 24,  2025 – A new report released by DNSFilter today finds that new domains are proliferating, surpassing phishing and malware to become the most trafficked threat category on the DNSFilter network. In the first quarter of 2025, DNSFilter found that new domains were up 140% compared to the last quarter of 2024; of those, 19% were still potentially malicious as of early April. The report is available for download here.

The DNSFilter network processes about 170 billion DNS queries daily, 200 million of which are categorized as threats and blocked. The latter figure represents phishing campaigns that never reached their targets, ransomware that never infiltrated networks, and malware that never had the chance to spread. 

While new domains aren’t necessarily malicious, they should be treated as suspicious, and blocking this category can protect users from emerging threats and domains that have the potential to become malicious, since new domains are used frequently in phishing and malware campaigns. Threat actors increasingly register new domains for several reasons, including capitalizing on trends with catchy domain names. New domains often don't appear on blocklists yet, which buys attackers a window of time for exploitation. And many of these are used in “fast flux” attacks, where domains are cycled quickly to avoid detection.

Additional findings from the Threat Trends: DNSFilter Q1 Security Report include: 

• January recorded the highest DNS traffic volume of all time, followed closely by March. Across the quarter, 3.61% of total DNS traffic was blocked — the highest quarterly block rate on record. 
  
  
• The most blocked top level domain (TLD) on our network was .pw. This TLD (used in place of .com in a URL) has gained traction with threat actors, leading users to block the root domain.
  
  
• Malware and phishing incidences dropped in prevalence, representing a combined 36% of all threats in Q1. While they remain significant threats, new domains took the top spot. 

Ken Carnesi, CEO and co-founder, DNSFilter, said: “Prioritizing real-time detection of suspicious domains, particularly those lacking age or reputation signals, is critical for cybersecurity professionals and IT administrators. Analysis of the traffic we see on our network shows that bad actors are constantly churning out malicious domains that pose real risk to companies and individuals. By using our ‘new domains’ category, our customers can easily block suspicious domains proactively, mitigating risk and giving them tighter control of their network.”

About the company:

DNSFilter is making the Internet safer and workplaces more productive by blocking malicious and unwanted content at the DNS layer. DNSFilter resolves upwards of 170 billion daily queries—200 million of those queries are blocked cyber threats. With 79% of attacks using Domain Name System (DNS), DNSFilter provides the world's fastest protective DNS powered by AI, blocking threats an average of 10 days faster than traditional threat feeds. Over 40,000 organizations trust DNSFilter to protect them from advanced cyber threats and unwanted content.

Media Contact

Shannon Van Every

Force4 Technology Communications

Shannon@force4.co