Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Attack Surface Discovery API
Attack Surface Discovery API

Uncover entire attack surfaces with this API to embed asset discovery, vulnerability scanning, and technology metadata into your platform. Now in early access.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

WhoisXML API Domain Intelligence Advisor (via ChatGPT)
WhoisXML API Domain Intelligence Advisor (via ChatGPT)

A custom GPT for WHOIS, DNS, IP, and threat intelligence research. Connects ChatGPT directly to WhoisXML API to enable fast, conversational investigations and domain insights.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Read other articles Download PDF

The Dangers of Domain Generation Algorithms and How to Protect Against Them

Cybercrime tactics always evolve, but few techniques are as persistent as the use of domain generation algorithms (DGAs). Even though they have evolved too.

These algorithms are designed to create a moving target for security teams. Attackers use DGAs to be able to rotate between domain names constantly — when one domain is detected, blocked, or taken down by law enforcement, DGAs allow threat actors to generate and switch to a new set of domains in a matter of seconds or minutes.

In this post, we will talk about the types of DGAs, how they are used by attackers, and how to protect against them.

What Are Domain Generation Algorithms?

Domain generation algorithms are programs that generate a large number (or, in some cases, a small rotating set) of domain names that usually serve as potential points of contact for a malware’s command-and-control (C2) server. The point of using DGAs is making threat detection and protection against it more difficult.

The generation process generally involves:

  • Seeding: Attackers use seeds — something like a birthdate, the current date and time, or a random number — to initialize the algorithm.
  • Algorithmic processing: This seed is fed into the DGA which starts generating a massive list of domains.
  • Domain name generation: To an ordinary observer, these domains often look like strings of characters that don’t always make sense, but they follow an underlying pattern known to the attacker. Some modern DGAs generate domains that appear more natural to evade lexical detection.

How DGAs Were Originally Used

Using DGAs allows attackers to avoid hard-coding C2 domain names into the malware. It works as follows:

  • Both the attacker and the malware they deployed know the algorithm. So they can independently generate the same list of domains.
  • The attacker generates a list of domains with the DGA and registers one of them to use it for the C2 server. 
  • The malware tries to connect to a C2 server by using the same DGA to generate a list of domain names and attempting to connect to each in turn.
  • Eventually, the malware gets to the one that actually exists and establishes a connection, allowing it to receive commands from the attacker. The C2 domain name isn’t hard-coded in the malware, which makes it harder for the security researchers to identify it and block it or request takedown.
  • Even if a domain that is used as a C2 server is somehow discovered and taken down or blocked, the attacker can move the C2 server to another domain name generated with the same algorithm. The malware will again go through the same list until it finds this new domain and establishes a connection.
How attackers use domain generation algorithms (DGAs)

This was the original and historically one of the most advanced use cases for DGAs. Today, DGA-like automated domain generation techniques are also used beyond C2, for purposes including bulk domain registration and some large-scale abuse and phishing operations. We’ll discuss them later in the article.

Why DGAs Are a Major Problem in Cybersecurity

The issue with DGAs is that they are notoriously hard to block. Attackers use them to generate, say, 1,000 domains, but they end up activating only one or five. Since the malware tries to resolve all 1,000 domains, security systems must analyze 999 or 995 failed requests, creating massive noise that conceals the one successful connection to the real C2 server. 

DGAs also render traditional Indicators of Compromise (IoC)-based threat intelligence nearly useless, because attackers can easily register and weaponize new domains when the ones they used get flagged. 

Types of Domain Generation Algorithms 

types of DGAs

1. Basic Seed-Based DGAs

Seed-based DGAs are the most common and simplest type of DGA. They use a seed value and a pseudo-random number generator to create a long string of random or semi-random letters and numbers that look like gibberish. The seed is often hard-coded or based on a predictable value.

Example: ValleyRAT IoCs ydbao4[.]cyou, ydbao8[.]cyou, ydbao6[.]cyou that were registered on the same day as 47 other similar-looking “ydbao” domains

Seed-based DGAs

2. Time-Based DGAs

These algorithms use a time-sensitive input, like the current date or time, as seed values to generate a list of domains. The malware and the attacker's C2 server both run the same algorithm using the same date, so they know exactly which domains to try connecting to on any given day. They often result in domains that look random, but they are predictable if you know the date and the algorithm.

Example: The infamous Conficker worm used the victim system’s current UTC date as seeds, generating domains like those shown below, as listed by Microsoft:

  • puxqy[.]net
  • elvyodjjtao[.]net
  • ltxbshpv[.]net
  • ykjzaluthux[.]net
  • lpiishmjlb[.]net
  • arpsyp[.]com
  • txkjngucnth[.]org
  • vhslzulwn[.]org
  • jcqavkkhg[.]net
  • dmszsyfp[.]info

3. Wordlist-Based DGAs

Wordlist-based DGAs or dictionary-based DGAs combine common dictionary words or syllables to generate domain names, making the domains readable and therefore appear more legitimate. Since they look natural, they bypass security filters that only flag random strings, and detecting them requires more advanced techniques like Natural Language Processing (NLP) or lexical analysis.

Example: The Rovnik malware used text strings from the US Declaration of Independence for its DGA. Some examples of domains generated using this DGA are:

  • kingwhichtotallyadminis[.]biz
  • thareplunjudiciary[.]net
  • townsunalienable[.]net
  • taxeslawsmockhigh[.]net
  • transientperfidythe[.]biz
  • inhabitantslaindourmock[.]cn
  • thworldthesuffer[.]biz

4. Mathematical Function-Based DGAs

These DGAs are more sophisticated because they don't just pick letters at random. Instead, they use specific mathematical formulas — like hashing, bitwise operations, or modular arithmetic — to ensure the generated domains are unique and repeatable for both the attacker and the victim.

Example: Gameover ZeuS (GOZ) is famous for overwhelming defenders with up to 1,000 domains per day using a mathematical seed based on the MD5 hash of the current date. That seed would still go through a loop that modifies it using modular arithmetic and XOR gates before finally being used in the algorithm. Below are a few examples from Sophos:

  • bmo0ve7lxujkiid9sycsfxb[.]biz
  • 1gkdng316lekt41ohkj3yi1gxzt[.]net
  • 1x162cb489ebmyfibcyujrg7[.]com
  • 1m29d4pp9t4t910tf4htihifak[.]org
  • 1odurmg100mx3pojsrt51d95f0o[.]com

5. Hybrid DGAs

Attackers combine the techniques above to create an even more resilient and evasive algorithm. For example, a DGA might combine a time-based seed with a wordlist to produce domains that look very natural.

Example: The Matsnu DGA is a perfect example of a hybrid DGA, combining the Dictionary and Math approaches. The algorithm uses a mathematical formula to pick a word from Dictionary A and another one from Dictionary B, then joins those words together. Here are some examples from Checkpoint:

Hybrid DGA domains examples
Image source: https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf

How Are Threat Actors Using Domain Generation Algorithms?

C2 Communication

This is the most common use of DGAs and is listed on MITRE Att&ck techniques. Instead of hardcoding a single IP address or domain into the malware, attackers program the malware to generate a list of hundreds or thousands of domains daily.

How it works: We’ve already discussed it above. Both the malware and the attacker use the same algorithm and the same seed (like the current date). This allows them to independently generate the same list of domains.

In a malware attack, the threat actor only needs to activate one of those domains. The infected machine will attempt to resolve the entire list of generated domains until it successfully resolves the one active domain registered by the attacker.

Evasion and Persistence

DGAs are designed to defeat sinkholing — a common defense tactic where security researchers take control of a malicious domain to redirect traffic away from the attacker. 

If law enforcement takes down a C2 domain today, the malware doesn't die. It simply waits for the next time interval (hour or day) and generates a new list of domains to re-establish contact.

How it works: Traditional malware uses hardcoded domains or IP addresses, which are easy for security tools to find and block. A DGA creates a dilution effect. Even if a researcher sinkholes a domain, it doesn’t cause that much pain to the attacker because that domain is only valid for a short timespan. The algorithm automatically rolls over to a new set of names, forcing defenders into a never-ending game of whack-a-mole.

Phishing Campaigns

While some types of DGAs produce gibberish domains, we know from the previous section that wordlist-based and hybrid DGAs are much more deceptive. Indeed, they can bypass some security tools, but they are also used to trick humans. 

How it works: To a user, camp-shelter[.]com looks much more trustworthy than a string of random letters, but that domain was actually generated by the Matsnu malware DGA. As such, dictionary DGAs can be used in phishing since they look legitimate, either as the embedded link within the message, a redirection layer to bypass security filters, or as the final host for malicious phishing content.

Malware Payload Distribution

Bulk-registered algorithmically generated domains are especially effective for hosting and delivering malware payloads at scale. Rather than serving malware from a stable endpoint, attackers distribute payloads across many short-lived domains, each seeing limited traffic and exposure.

A single malware campaign may rotate download URLs per email wave, per victim segment, or per time window, all backed by domains registered in advance and activated on demand.

How it works:
Security controls often rely on domain reputation, prevalence, and abuse reports. Bulk registration undermines these signals. Each domain:

  • Is new or low-traffic
  • Exists for a short time
  • Serves only a subset of victims

By the time a domain is flagged, the payload has already moved elsewhere. The attacker simply updates the loader or phishing link to point to a fresh domain from the same bulk inventory, keeping the distribution pipeline alive while defenders struggle to accumulate enough signal on any single domain.

Protecting Against Domain Generation Algorithms 

DGA domains are born from patterns, so protecting against them requires advanced pattern recognition. 

Attackers typically register these domains in bulk, and even when they try to fly under the radar, the domains usually share the same underlying characteristics — the same registrar, the same set of name servers, the same time-to-live (TTL) values, and very close registration timestamps (sometimes only seconds apart).

Identifying patterns of DGA domains

Keep these characteristics in mind as we go through some of the best methods used in fighting against DGAs.

DNS Filtering and Predictive Threat Intelligence

The first line of defense is blocking the connection at the DNS level by implementing firewalls and DNS security solutions with integrated DGA threat intelligence, such as:

  • Bulk registration feeds: Using data feeds like the Typosquatting Data Feed helps catch domain names that were registered in large batches, which is a classic sign of a DGA malware campaign.
  • Predictive intelligence: Solutions such as the First Watch Malicious Domain Data Feed go a step further. They use machine learning to identify domains that exhibit the technical fingerprints of an attacker-controlled infrastructure almost at registration, even before the malware starts using them.

Behavioral Analysis

Security tools like Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA) detect the noise triggered by DGA queries using machine learning models. Since these DGAs are automated, they leave behind clear signs of non-human activity, such as: 

  • Massive failed lookups: Since malware may try hundreds of domains before finding the active one, a sudden spike in NXDOMAIN (domain not found) responses is an indicator that a DGA is active on the network.
  • Origin of the lookups: In a healthy system, a web browser makes most DNS queries. If a background system utility or a random file in a temporary folder starts querying dozens of domains, it is a major red flag.
  • Timing and frequency: DGAs usually run on a fixed schedule. If you see a sudden spike in DNS activity at the exact time each day or week, it’s an indication of C2 communication. 

Conclusion

Cybercriminals still prefer DGAs because they render traditional defenses almost useless since they can automate thousands of rotating domain names, making their infrastructure resilient to takedowns and invisible to blocklists.

To stay protected, organizations need to implement proactive measures like behavioral analysis and predictive DNS intelligence.

To detect and block DGA domains at the time they are registered, check out WhoisXML API’s First Watch Malicious Domain Data Feed.

FAQ

What is a DGA?

A DGA is a technique that malware uses to generate a large number of domain names.  These names often appear to be gibberish, but they are generated using a specific mathematical pattern.

Sometimes algorithmically generated domains (AGDs) are also referred to as DGA domains.

Are there legitimate uses of DGAs?

While most people only hear about DGAs in the context of cyberattacks, the underlying technology — dynamically creating unique addresses — is used for stability in high-end networks, such as:

  • High-availability systems: DGAs help ensure that a backup server is always reachable, even if the main network path fails.
  • Distributed content delivery: They help Content Delivery Networks (CDNs) route traffic to the closest server.
  • Disaster recovery: With DGAs, data centers can generate new connection points during an emergency. 

Why do cybercriminals use domain generation algorithms?

Attackers rely on DGAs for two main reasons: evasion and resilience.

  • Evasion: By constantly switching to new domains, malware can stay one step ahead of static blacklists that block known bad domains.
  • Resilience: In case a C2 domain is taken down, the malware doesn't die. It simply runs the algorithm again to find the next active rendezvous point on the list.
Read other articles Download PDF
Try our WhoisXML API for free
Get started