This post summarises two recent presentations delivered by the Stratosphere Laboratory team — one at Ekoparty and another at Virus Bulletin — where we shared our work within the DNS4EU consortium. Both talks explored how artificial intelligence can protect Europe by detecting cyberattacks hidden among billions of DNS queries processed every day.
Image Source: Virus Bulletin 2025
Every day, billions of DNS queries are made across Europe. Hidden within them are the traces of cyberattacks, data exfiltration, and malware communications. Identifying these threats without compromising privacy or trust is one of the most significant challenges in modern cybersecurity.
At the Stratosphere Laboratory of the Czech Technical University in Prague, we are addressing this challenge as part of DNS4EU — the European initiative to build a secure, privacy-preserving DNS infrastructure for all EU citizens.
DNS4EU is Europe’s effort to take back control of its Internet infrastructure — ensuring that privacy, security, and digital sovereignty are not optional.
The Problem
For years, most European DNS traffic has been processed by commercial companies outside the EU. This created dependence and limited the ability to apply European data protection and security standards.
DNS4EU was created to change this by establishing a federated and transparent DNS resolver infrastructure entirely within Europe.
However, operating such a system introduces a new scale of complexity. The platform must process more than 1.5 billion DNS queries every day — equivalent to tens of thousands per second — and still provide accurate, timely detection of new threats.
The Goal
Our goal within DNS4EU is to automatically detect new and unknown malicious domains — those that do not appear in any blacklist, threat intelligence feed, or historic report.
To find them, we needed to design a system capable of identifying abnormal behavioral patterns in DNS traffic and continuously updating its understanding as new evidence appears.
“The challenge is not only to find malicious activity, but to find what has never been seen before — and to do it at a continental scale.”
The Solution
Stratosphere developed a large-scale AI pipeline that transforms raw DNS data into actionable threat intelligence.
Apache Kafka handles the ingestion of high-volume DNS streams from multiple regions, while ClickHouse provides high-performance storage and aggregation over billions of records. Our preprocessing stage removes invalid data, excludes the most popular domains, and extracts meaningful statistical and temporal features from the remaining traffic.
We then apply a combination of unsupervised models — Isolation Forest, DBSCAN, and Gaussian Mixture Models — to identify anomalous or low-density patterns that may represent emerging malicious domains.
Finally, we use Bayesian inference to integrate all the evidence and reduce false positives. Each signal — such as anomaly model outputs or threat intelligence hits — modifies the probability that a domain is malicious.
This approach allows the system to express both a decision and a level of confidence, introducing transparency and adaptability into automated detection.
“Bayesian reasoning allows us to move beyond binary detection. It lets the system express uncertainty — which is exactly what real-world defense requires.”
The Results
The system processes over one terabyte of DNS data each week and generates a daily feed of suspicious domains for further analysis and validation.
Many of these findings have been confirmed as real threats, including fake software update campaigns, DNS tunneling for data exfiltration, and command-and-control infrastructure for Predator spyware and Lumma Stealer.
The combination of scalable infrastructure, unsupervised learning, and Bayesian updates enables the detection of entirely new classes of threats that traditional rule-based systems would miss.
Lessons Learned
Our experience shows that large-scale, privacy-first infrastructure and artificial intelligence can coexist successfully. Reducing false positives is as critical as detecting true threats.
And explainable AI — supported by probabilistic reasoning — can provide both efficiency and trust.
“Defending Europe’s Internet requires more than technology; it requires transparency, cooperation, and scientific rigor.”
At Stratosphere Lab, we are proud to contribute to DNS4EU’s mission of building a strong, resilient, and sovereign digital ecosystem for Europe.
Our work continues toward one goal: turning data into defense — responsibly, transparently, and at scale.
Learn more about Stratosphere Laboratory: https://www.stratosphereips.org
Learn more about DNS4EU: https://www.joindns4.eu
This article was written by Stratosphere Laboratory team
