← Back to Blog

Research entry

DNS Threat Intelligence: Detecting DGA Families in the Wild

9 March 2026 · 6 min read

Technical notes on detecting domain generation algorithms through DNS traffic analysis — expanding on published research at Akamai.

Security DNS Threat Intelligence Machine Learning

Domain Generation Algorithms are one of the more persistent problems in network security. At their core, DGAs are simple: malware uses an algorithm to produce a large set of pseudo-random domain names, then attempts to resolve them via DNS. The attacker only needs to register a handful of those domains at any given time, and the infected host will eventually find one that resolves to a live command-and-control server. From the defender’s perspective, static blocklists are nearly useless — the domain set is enormous and constantly rotating.

I spent a significant chunk of my time at Akamai working on this problem. Some of the research I coauthored with Stijn Tilborghs was published on the Akamai blog, including a piece on DGA families with dynamic seeds that digs into how certain families behave in real DNS traffic. This post expands on that work with some broader notes on detection, scale, and operational lessons.

Why DNS Is the Signal

Every DGA domain, regardless of the malware family or the algorithm behind it, has to be resolved through DNS before it can be used. That makes DNS the universal chokepoint. If you have visibility into DNS query traffic at scale — which Akamai does, handling trillions of queries — you have a vantage point that cuts across malware families, network configurations, and evasion techniques.

The signal is especially useful because DNS queries happen early in the kill chain. An infected machine will issue dozens or hundreds of DGA lookups before it finds a live C2 domain. Most of those queries return NXDOMAIN (non-existent domain), which creates a distinctive pattern: a burst of failed lookups for domains that look algorithmically generated. That pattern is detectable even when the malware itself is obfuscated or unknown.

Detection Approaches

The standard approach to DGA detection leans heavily on feature engineering over the domain string itself. The most reliable features include:

  • Shannon entropy — DGA domains tend to have higher entropy than legitimate domains because the character distribution is more uniform. A domain like xkjf8qwm3np.com looks very different from amazon.com in entropy terms.
  • N-gram frequency — Legitimate domains are constrained by human language patterns. Bigram and trigram frequencies drawn from natural language corpora can score how “pronounceable” a domain is. DGA domains score poorly.
  • Length distribution — Many DGA families produce domains of consistent length (determined by the algorithm), which stands out against the varied lengths of legitimate domains.
  • Vowel-to-consonant ratio — A simple but effective heuristic. Algorithmically generated strings tend to have different vowel ratios than strings derived from words.

These features feed into classifiers — random forests and gradient-boosted trees work well here, though deep learning approaches using character-level embeddings have shown promise for families that are harder to catch with hand-crafted features. The tradeoff is interpretability: when a model flags a domain, analysts want to understand why, and tree-based models make that easier.

Dynamic Seed Analysis

Not all DGA families use a static seed. Some incorporate dynamic inputs — the current date, trending news headlines, or other externally observable data — to generate their domain lists. This is where things get interesting from a detection standpoint.

Date-seeded DGAs are the most common variant. The malware uses the current date (sometimes with timezone sensitivity) to deterministically generate domains for that day. This means the domain set rotates daily, making proactive blocking possible if you can reverse-engineer the algorithm. But it also means that historical DNS data shows a clear temporal pattern: clusters of NXDOMAIN queries that align with date boundaries.

Headline-seeded DGAs are rarer but harder to anticipate. The malware scrapes a public source — a news site, a Twitter trending topic — and uses that text as a seed. The attacker and the malware independently observe the same public data, so they agree on the seed without any direct communication. From a detection perspective, you lose the ability to predict future domains, but the DNS traffic patterns (bursts of high-entropy NXDOMAIN queries) remain detectable.

The Akamai research on dynamic seeds goes deeper into the specific DNS behaviors these families produce and why static reverse-engineering is not enough.

Scale Challenges

Working with DNS data at Akamai scale introduces problems that do not exist in a lab environment. When you are processing billions of queries per day, even a low false-positive rate produces an unmanageable number of alerts. A classifier that is 99.9% accurate still flags millions of legitimate domains incorrectly at that volume.

This means the detection pipeline has to be layered. The ML classifier is a first pass, not the final word. Downstream filtering uses allowlists of known-good domains, reputation scoring, temporal correlation (is this domain part of a burst of NXDOMAIN queries from the same resolver?), and clustering (do multiple flagged domains share algorithmic characteristics suggesting a single DGA family?). Each layer reduces false positives while preserving true detections.

Performance is another constraint. Feature extraction and classification need to happen in near real-time. Batch processing that runs hours behind the live query stream misses the window where detection is most valuable — before the infected host successfully reaches C2. This pushes toward simpler, faster models in the hot path with more expensive analysis running asynchronously on flagged candidates.

Lessons Learned

A few things generalize well across DGA families. Entropy-based features are nearly universal detectors — most algorithmic generation produces higher entropy than human language. Temporal patterns in NXDOMAIN responses are strong indicators regardless of the specific algorithm. And clustering flagged domains by shared features (length, character set, TLD) is an effective way to group detections into families for analyst review.

What does not generalize is the specific algorithm structure. Each DGA family has its own quirks — seed sources, character sets, length parameters, TLD selection. Models trained heavily on one family may miss another entirely. This argues for ensemble approaches and regular retraining as new families emerge.

Operationally, the biggest lesson is that detection is only half the problem. The other half is response workflow: how flagged domains get triaged, how blocking decisions are made, and how false positives get fed back into model improvement. A detection system that produces great results but overwhelms the analyst team with noise is not effective in practice.

DNS remains one of the best vantage points for network-level threat detection. The signal is rich, the coverage is broad, and the infrastructure for large-scale analysis already exists at organizations that operate recursive resolvers. DGA detection is just one application — the same data and many of the same techniques apply to phishing infrastructure detection, data exfiltration via DNS tunneling, and other threat categories.