DNS Intelligence, what it means and why it is important for protection against cyber attacks

A basic component for protection against cyber attacks

DNS Intelligence is defined as the analysis of data which come from DNS systems and from users’ interactions with internet sites. In this article, we clarify the concept of DNS Intelligence and demonstrate how important it is to consider it as a browsing protection strategy.

1. What is DNS Intelligence

The term DNS Intelligence is often paired with “threat” precisely to highlight its importance as a strategy for protection when browsing the internet.
DNS Intelligence means analyzing data provided by DNS systems and by the interaction of the users with internet sites through these systems. Data collection and their analysis allow for the identification (sooner and better) of potentially dangerous sites, blocking access.

One can think of DNS (Domain Name System) as a sort of telephone book of internet sites. When a user types in a domain name to access a site from a browser program, the typed name (flashstart.com) is instantly converted to the IP address of the site, or of the computer in which the site is located. This is because the computer only understands numbers.

In the case of the domain name flashstart.com, for example, the related IP address is 151.139.128.11. Whenever a user wants to connect to flashstart.com through the navigation program, the computer makes successive requests to the various systems that make up a DNS system. Greatly simplifying a path, which is otherwise complicated, the browser accesses an association database (IP-domain name) in which flashstart.com is associated at 151.139.128.11. At this point, the browser makes the connection with the computer that has that IP address and which hosts the flashstart.com site. This all happens instantaneously and transparently for the user.

It should be noted, however, that there is no two-way correspondence between IP address and domain name. For example, the machine with IP address 151.139.128.11 corresponds to as many as 44,000 sites. So, DNS analysis makes it possible to identify the machine with a certain IP that contains the files that form the searched site.

Therefore, DNS systems are universal registries, databases distributed across several servers categorized first into domain extensions (.com, .it, .edu). Such a “container” within a DNS server stores domain information while acquiring information from non-archived domains, as well.
The servers scattered around the world which store and manage domain names, categorized according to domain extensions (technically DNS root zone), are called root nameservers, and there are thirteen of them worldwide.
The purpose of DNS Intelligence, ultimately, is to secure the path to DNS resolution by a computer. Browsing protection will be better guaranteed when more information is captured and processed about a certain site.

2. Why DNS Intelligence protects browsing

The DNS system consists of several stops, which are nothing more than computers which contain logs, and search and response applications within them. We do not realize it, but the innocent request to connect to flashstart.com triggers a series of checks and questions and answers among the various computers in the DNS system.

In addition, to prevent each stop from slowing down the request, there are cache memories within those computers that are populated as the sites visited prove secure, and this is possible precisely because of DNS Intelligence. In other words, if I want to connect to google.com, I’m very likely to access a Google homepage stored along the way. This avoids going through the standard procedures, which would lead to a slowdown in the connection. However, and it has happened, it can happen that the google.com domain stored in a cache along the path directs me to a different site. And that would be a big problem.

This is precisely the reason why it is in these logs, these temporary memories, that cyber criminals break in to modify information. So, the goal is to make a site appear “clean” when it is not, or to make a user believe that he is accessing the requested site but, in reality, he ends up in a nightmare.
Therefore, the DNS system is vulnerable. And DNS Intelligence aims to make it more secure. Moreover, many stops in a DNS system are accessible to system administrators, who modify them to prevent the domains they manage from ending up on a blacklist for some reason and from being inaccessible. Therefore, it could be said that DNS systems are very (too) busy, so it is better to activate an Intelligence that constantly monitors them.

Finally, DNS Intelligence also proves very useful in investigations. Knowing everything possible about a site, and how it is connected to a DNS system, makes it possible to reconstruct the paths taken by a cybercriminal, increasing the chances of catching him.


>> FlashStart protects you from a wide range of threats and blocks access to malicious sites → Start your  free trial now


3. How DNS Intelligence is achieved

A DNS Intelligence model is achieved through a software or application service. The operative words are: timely update. The goal is to analyze all possible information about sites, not only what can be found on the sites themselves but what can be gleaned from users’ visits and user experience.

The Netcraft  site tells us that there are just over a billion sites in the world, although less than 200 million are regularly updated. A rough count states that about 250,000 new sites are created worldwide in 24 hours.
The purpose of DNS Intelligence is to monitor updates to existing sites and register new ones through Intelligence activity, in other words, also gathering as much information as possible about the sites from users’ real-time browsing.

Specifically, the algorithms of DNS Intelligence services monitor the addition of new domains and subdomains, historical data and new content in DNS records, domain name-IP associations, links between domains, WHOIS records (who registered a domain name), malicious activity, and more.

4. Examples of DNS Intelligence activities

The activities of a DNS Intelligence system are diverse. To understand the level of Intelligence, we report the checks, thanks to the software, that are performed on a single website:

» Analysis of DNS records present on a site
» Checking of historical DNS records (days, months, years)
» Mapping of subdomains to put it in order and update it
» Reverse DNS records by running backward from the site to the DNS systems
» Checking of names at one of the stations in the path to resolve DNS, the registrar
» Record history: checking of DNS records created by the registrar
» Analysis of the registrar’s historical names by going backward for years
» DNS software identification: information on the software for the DNS server used
» Associated domain names: detection of associated domains hosted on the same networks as the main domain
» Associated IPs: same analysis as above but on IP addresses.

The latest generation of DNS Intelligence algorithms uses machine learning and, in general, artificial intelligence . This is because the amount of data to be analyzed is enormous, and the analysis must be done quickly. These algorithms are then integrated into broader solutions to filter browsing, such as FlashStart’s service.


>> FlashStart is the webfilter that protects over 20 million users. Join the community and start your  free trial now


To be specific, FlashStart’s service can boast 92.5 percent effectiveness, meaning 925 sites out of one thousand cataloged are to be considered clean and safe. One need not worry about the 75 sites that are left out of the analysis. These are incomplete sites, written in unintelligible languages and otherwise harmless.

The DNS Intelligence that is integrated into the FlashStart offer has already surveyed 190 million sites, which are spread out in 85 categories which, in turn, form the blacklists of DNS systems. Artificial Intelligence algorithms which have been fine-tuned by FlashStart examine about 40 thousand new domains per day, plus additional alerts received from different channels and from users’ (anonymous) browsing information. FlashStart filters about 5 billion DNS requests every day in more than 140 countries. It blocks resolution about 340 million times, and, among these, about 21 million involve malware threats and fraud.


You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.

Related posts