While DNS4EU is the major EU-wide initiative focused on privacy, security, and digital sovereignty, its true protective power comes from something deeper: Threat Intelligence. In the current, high-stakes cyber environment, this real-time data is the critical layer that transforms a standard DNS resolver into a powerful cyber shield.
Mr. Viliam Peli, Threat Intelligence Lead at Whalebone, joins us to guide readers through the mechanics of how DNS4EU collects, shares, and acts upon intelligence to safeguard the European digital space from the newest and most sophisticated attacks.
How is threat intelligence shared within DNS4EU, especially using resources like a Malware Information Sharing Platform (MISP)?
Threat intelligence in DNS4EU is shared mainly through MISP, an open-source platform that enables secure and real-time exchange of threat data – particularly with national CERTs. We also use tools like IntelMQ to aggregate additional intelligence from external feeds, then analyse and validate these inputs on our own backend systems to ensure accurate protection.
How does DNS4EU collect and integrate threat intelligence feeds, and what role do CERTs and national agencies play in this process?
DNS4EU collects and integrates threat intelligence feeds from a range of sources, with a strong emphasis on cooperation with national CERTs and agencies. Each feed is thoroughly evaluated, and its indicators are scored to ensure the best balance between true and false positives before integration. National CERTs play a key role by sharing insights on new and emerging threats in their regions, which enables DNS4EU to rapidly deploy protections and safeguard all users against current risks.
How quickly can DNS4EU react when a new phishing domain or malware command-and-control server is detected?
DNS4EU leverages close cooperation and advanced technologies to detect and block new phishing domains or malware servers rapidly – often within minutes of identification. Detection speed varies case by case, but our regional expertise and real-time intelligence sharing help us stop many millions of daily threats before they reach end users. While instant detection of every threat is not possible, our results show strong protection and fast reaction to emerging attacks.
What does the workflow look like – from detection of a new threat to propagation across all resolvers in the EU?
When a new threat is detected, we obtain the indicator of compromise (IOC) from trusted sources – our own detection infrastructure, commercial feeds, or partner agencies. The data is then enriched with additional intelligence, scored using automated evaluation systems, and compared against multiple accuracy checks. Once the IOC reaches a blocking threshold, it is instantly propagated to all DNS4EU resolvers across the EU, where it is continuously re-evaluated and later removed once it is no longer active or malicious.
How do you manage false positives or prevent legitimate domains from being wrongly blocked?
DNS4EU uses automated scoring systems and dedicated whitelists to reduce false positives and avoid blocking legitimate domains. Every domain – even well-known ones – must pass through evaluation, ensuring that benign sites consistently receive negative scores and never reach blocking thresholds. This layered approach, combined with user appeal channels, helps maintain robust security while protecting access to legitimate resources.
From a threat intelligence standpoint, what are the advantages of Protective DNS (PDNS) as implemented by DNS4EU?
Protective DNS in DNS4EU offers several threat intelligence advantages: it enables real-time sharing and blocking of malicious domains across EU member states, leverages regional and global intelligence for rapid response, and reduces dependence on non-EU services for enhanced privacy and sovereignty. This approach helps ensure threats discovered in one country are quickly blocked Union-wide, providing high levels of protection against phishing, malware, and DNS abuse, without the need to install any app or program on your device.
To what extent does DNS4EU harness AI or automated systems to identify new threats and update blocklists in real time?
Machine learning helps analyse traffic patterns, regional intelligence, and open-source-intelligence (OSINT) data to identify emerging local threats like phishing campaigns. This allows for quick, continuous updates across all DNS4EU resolvers, providing timely and effective protection against new cyber threats while leveraging regional expertise.
Viliam Peli is the Threat Intelligence Lead at Whalebone, where he advances the global detection of malicious domains and campaigns through automation, large-scale analytics, and innovative threat intelligence strategies. He leads threat intelligence efforts for the DNS4EU project, building partnerships with governmental agencies, international cybersecurity stakeholders, and the research community to strengthen DNS-based protections across Europe.