Role of security and threat intelligence in the DNS4EU project

One of the key aspects of the DNS4EU resolver is protecting people, telcos and governments against cyber security threats such as malware, phishing and many others. Any device connected to the DNS4EU resolver trying to access a malicious domain is stopped before the damage is caused. In order to provide the state-of-the-art solution, multiple activities have been initiated.

security blog post

Whalebone, as the lead consortium member, developed a threat intelligence backend. The role of the backend is to deliver newly observed malicious domains in real time to each of the resolvers. People can thus be protected almost immediately after a new threat has been identified. The threat intelligence database is continuously updated with reliable and up-to-date information on global threats. As any feed can potentially contain an incorrectly included benign domain, each uploaded domain is verified with multiple sources and accuracy checks. The accuracy techniques include but are not limited to various whitelists, network traffic analysis or popularity lists.

Ongoing activities focus mainly on regional and national-level threat intelligence and also on state-of-the-art and newly developed machine learning models aimed at phishing, malware and command & control (c&c) detection.

In terms of regional threat coverage, Whalebone coordinates collaboration with national level threat intelligence from Computer Emergency Response Teams (CERT) and Computer Security Incident Response Teams (CSIRTs) in European countries. DNS4EU operates its own MISP instance ( where the technical connection with contributing institutions takes place. All contributions are directly and in real time propagated onto the DNS4EU resolvers. This is a unique and innovative way how the valuable analyses and findings about ongoing malicious campaigns can be translated into real and effective protection for all European citizens in real-time.

For newly developed detection models focused on phishing, malware and c&c detection, there is an intensive cooperation between the consortium partners. NASK is working on machine learning models detecting newly registered domains or domains newly observed in network traffic targeting phishing attacks. The models learn from the previously detected malicious domains and apply the knowledge to new ones. Similarly, CTU is working on other models aiming at malware and c&c. Whalebone coordinates these activities and provides all necessary guidance to the partners.

Support for lawful filtering is also an integral part of the project. DNS4EU resolvers will support and follow EU and country specific rules and regulations by implementing regulatory feeds of all 27 EU countries. This activity is coordinated with legal experts working on a compliance work package within the DNS4EU project and the technical implementation is executed by Whalebone and DNSC.

This blog post was written by Whalebone, a leader of DNS4EU consortium.