Skip to main content
  • Cybersecurity

What organizations need to look for in a DNS threat feed

By Mark Brownlee

A DNS threat feed is a great thing to have. It is, after all, one of the best ways to protect your organization’s network from accessing websites that will lead to malicious malware, ransomware and other cyber attacks.

The problem, though, is that not all threat feeds are created equal.

If you’re evaluating a threat feed for your organization’s network, here are three questions you need to ask yourself.

How much coverage does it provide?

Ideally, a DNS threat feed would block anyone who is using your network from accessing any and all malicious websites.

This is where the breadth of the threat feed’s coverage plays a key role.

Key aspects to consider include:

  • How anomalous behaviour is detected: A threat feed needs to have enough breadth to be able to tell when something is “out of the ordinary” that it needs to potentially block

  • How well subtle variations in bots and malware are identified: Sometimes cybercriminals make slight changes to attacks in order to slip through protections. Threat feeds need to be able to account for these variations

  • The breadth of metrics used to characterize and cluster suspicious activity: Threat feeds need to have a variety of different “frames” for recognizing attacks that are taking place

How can a threat feed help combat these threats?

Machine learning (ML) can play a key role here. By applying ML to large DNS data sets used for threat research, the threat coverage can be expanded, and cover subtle variations more effectively.

Anomalous behaviour can be flagged by identifying incoming queries that don’t match predicted patterns.  This is an efficient way to reduce the data set and focus processing resources on traffic that is more likely to be malicious.

With additional processing, suspicious traffic can be evaluated against metrics that gauge how malicious it likely is—this traffic is then categorized accordingly. Traffic with similar patterns can be identified and clustered. These clusters can be compared with known, validated threats that share the same characteristics (strong correlation) as validated threats. From there, the threat feed can then inherit the findings.

How precise is the threat feed?

For a DNS threat feed to be effective, it needs to be precise—blocking out as many malicious pages as possible while still allowing users to quickly and easily access legitimate, unharmful websites.

In other words, accuracy is important.

Accuracy is about ensuring the user experience and productivity.  Security technologies shouldn’t block access to legitimate internet resources used for work, learning and leisure web activities, whatever they may be. Overall, accuracy enables the best possible coverage while minimizing false positives, ensuring a good user experience.

Intensive statistical analysis of massive volumes of DNS query data can provide a deep understanding of “normal” versus “malicious” query patterns. This is intrinsically reflected in threat feeds to avoid inadvertent blocking of legitimate traffic. To further reduce false positives a wide range of metrics—as many as 90—must be assessed to validate suspected threats.

How agile is the threat feed in responding to new threats?

Cyber threats are always changing.

That means agility—the ability to respond quickly as new threats arise—is a key component of an effective threat feed.

Agility is influenced by the data a threat feed uses. Real time data, processed quickly and efficiently, will drive faster discovery and validation of threat activity. But just tracking down new threats isn’t enough. Newly-identified threats need to be sent to enforcement points. If the threat feed can’t get new threats to a DNS firewall (or other enforcement point) it’s not going to be useful.

Sophisticated analysis can also uncover machine generated domain names (Domain Generation Algorithm) and replicate the function so a threat feed can publish the entries proactively and preemptively block future activity automatically.


Your cybersecurity set-up is only as good as your ability to detect new threats as they emerge.

By asking yourself these questions about your threat feed, you can get a pretty good sense for how well your network will be protected.

Are you looking to increase your organization’s threat protection? CIRA DNS Firewall uses Akamai’s threat feed to keep Canadian organizations protected from cyber threats.

Learn more here.

About the author
Mark Brownlee

Mark Brownlee is a Product Marketing Manager with CIRA Cybersecurity Services. His work, which focuses on the CIRA DNS Firewall and Canadian Shield products, is dedicated to helping protect people and organizations in Canada from cyber threats. His background is in marketing strategy, communications planning and advertising best practices.