{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:36:52Z","timestamp":1767339412033,"version":"build-2065373602"},"reference-count":51,"publisher":"MDPI AG","issue":"12","license":[{"start":{"date-parts":[[2021,11,30]],"date-time":"2021-11-30T00:00:00Z","timestamp":1638230400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Nowadays there are many DNS firewall solutions to prevent users accessing malicious domains. These can provide real-time protection and block illegitimate communications, contributing to the cybersecurity posture of the organizations. Most of these solutions are based on known malicious domain lists that are being constantly updated. However, in this way, it is only possible to block malicious communications for known malicious domains, leaving out many others that are malicious but have not yet been updated in the blocklists. This work provides a study to implement a DNS firewall solution based on ML and so improve the detection of malicious domain requests on the fly. For this purpose, a dataset with 34 features and 90 k records was created based on real DNS logs. The data were enriched using OSINT sources. Exploratory analysis and data preparation steps were carried out, and the final dataset submitted to different Supervised ML algorithms to accurately and quickly classify if a domain request is malicious or not. The results show that the ML algorithms were able to classify the benign and malicious domains with accuracy rates between 89% and 96%, and with a classification time between 0.01 and 3.37 s. The contributions of this study are twofold. In terms of research, a dataset was made public and the methodology can be used by other researchers. In terms of solution, the work provides the baseline to implement an in band DNS firewall.<\/jats:p>","DOI":"10.3390\/fi13120309","type":"journal-article","created":{"date-parts":[[2021,11,30]],"date-time":"2021-11-30T20:29:27Z","timestamp":1638304167000},"page":"309","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["DNS Firewall Based on Machine Learning"],"prefix":"10.3390","volume":"13","author":[{"given":"Claudio","family":"Marques","sequence":"first","affiliation":[{"name":"ESTG (Escola Superior de Tecnologia e Gest\u00e3o), Instituto Polit\u00e9cnico de Viana do Castelo, 4900-367 Viana do Castelo, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5274-3733","authenticated-orcid":false,"given":"Silvestre","family":"Malta","sequence":"additional","affiliation":[{"name":"ADiT-Lab (Applied Digital Transformation Laboratory), ESTG (Escola Superior de Tecnologia e Gest\u00e3o), Instituto Polit\u00e9cnico de Viana do Castelo, 4900-367 Viana do Castelo, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6755-8901","authenticated-orcid":false,"given":"Jo\u00e3o","family":"Magalh\u00e3es","sequence":"additional","affiliation":[{"name":"CIICESI (Centro de Inova\u00e7\u00e3o e Investiga\u00e7\u00e3o em Ci\u00eancias Empresariais e Sistemas de Informa\u00e7\u00e3o), ESTG (Escola Superior de Tecnologia e Gest\u00e3o), Instituto Polit\u00e9cnico do Porto, 4610-156 Porto, Portugal"}]}],"member":"1968","published-online":{"date-parts":[[2021,11,30]]},"reference":[{"key":"ref_1","unstructured":"Verisign (2021, November 28). The Domain Name Industry Brief. Available online: https:\/\/www.verisign.com\/en_US\/domain-names\/dnib\/index.xhtml."},{"key":"ref_2","unstructured":"Scmagazine (2020, February 09). Vast Majority of Newly Registered Domains Are Malicious. Available online: https:\/\/www.scmagazine.com\/home\/security-news\/malware\/vast-majority-of-newly-registered-domains-are-malicious."},{"key":"ref_3","unstructured":"Weimer, F. (2021, November 28). Passive DNS Replication. Available online: https:\/\/static.enyo.de\/fw\/volatile\/pdr-draft-11.pdf."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Perdisci, R., Corona, I., Dagon, D., and Lee, W. (2009, January 7\u201311). Detecting malicious flux service networks through passive analysis of recursive DNS traces. Proceedings of the Annual Computer Security Applications Conference, ACSAC, Honolulu, HI, USA.","DOI":"10.1109\/ACSAC.2009.36"},{"key":"ref_5","unstructured":"Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. (2021, November 28). EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. Available online: https:\/\/sites.cs.ucsb.edu\/~chris\/research\/docndss11_exposure.pdf."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"654","DOI":"10.1016\/j.procs.2020.04.071","article-title":"Malicious Domain Detection Using Machine Learning on Domain Name Features, Host-Based Features and Web-Based Features","volume":"171","author":"Palaniappan","year":"2020","journal-title":"Procedia Comput. Sci."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Segawa, S., Masuda, H., and Mori, M. (2019, January 8\u201310). Proposal and Prototype of DNS Server Firewall with Flexible Response Control Mechanism. Proceedings of the 20th IEEE\/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel\/Distributed Computing, SNPD 2019, Piscataway, NJ, USA.","DOI":"10.1109\/SNPD.2019.8935681"},{"key":"ref_8","unstructured":"(2021, July 11). IDC 2020 Global DNS Threat Report|DNS Attacks Defense|EfficientIP. Available online: https:\/\/www.efficientip.com\/resources\/idc-dns-threat-report-2020\/."},{"key":"ref_9","unstructured":"(2021, August 22). IDC 2021 Global DNS Threat Report|Network Security. Available online: https:\/\/www.efficientip.com\/resources\/idc-dns-threat-report-2021\/."},{"key":"ref_10","unstructured":"(2021, August 22). Domain Name System (DNS) Security: Attacks Identification and Protection Methods. Available online: https:\/\/csce.ucmss.com\/cr\/books\/2018\/LFS\/CSREA2018\/SAM4137.pdf."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Ariyapperuma, S., and Mitchell, C.J. (2007, January 10\u201313). Security vulnerabilities in DNS and DNSSEC. Proceedings of the Second International Conference on Availability, Reliability and Security, ARES, Vienna, Austria.","DOI":"10.1109\/ARES.2007.139"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1016\/S1353-4858(21)00028-3","article-title":"Investigating cyber attacks using domain and DNS data","volume":"2021","author":"Anderson","year":"2021","journal-title":"Netw. Secur."},{"key":"ref_13","unstructured":"Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S.W. (2021, August 22). rfc4033, Available online: https:\/\/www.nist.gov\/publications\/dns-security-introduction-and-requirements-rfc-4033?pub_id=150135."},{"key":"ref_14","unstructured":"(2021, July 23). ICANN Research\u2013TLD DNSSEC Report. Available online: http:\/\/stats.research.icann.org\/dns\/tld_report\/."},{"key":"ref_15","unstructured":"Chung, T., van Rijswijk-Deij, R., Chandrasekaran, B., Choffnes, D., Levin, D., Maggs, B.M., and Wilson, C. (2021, November 28). An End-to-End View of DNSSEC Ecosystem Management. Available online: https:\/\/www.usenix.org\/system\/files\/login\/articles\/login_winter17_03_chung.pdf."},{"key":"ref_16","first-page":"1","article-title":"A measurement study of DNSSEC misconfigurations","volume":"4","author":"Blenn","year":"2015","journal-title":"Secur. Inf."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"369","DOI":"10.2298\/SJEE1603369A","article-title":"Implementation of DNSSEC-secured name servers for ni.rs zone and best practices","volume":"13","year":"2016","journal-title":"Serb. J. Electr. Eng."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Van Adrichem, N.L., Lua, A.R., Wang, X., Wasif, M., Fatturrahman, F., and Kuipers, F.A. (2014, January 24\u201326). DNSSEC misconfigurations: How incorrectly configured security leads to unreachability. Proceedings of the 2014 IEEE Joint Intelligence and Security Informatics Conference, JISIC, NW, Washington, DC, USA.","DOI":"10.1109\/JISIC.2014.12"},{"key":"ref_19","first-page":"263","article-title":"A Comprehensive Measurement Study of Domain Generating Malware","volume":"Volume 16","author":"Plohmann","year":"2016","journal-title":"Proceedings of the 25th USENIX Conference on Security Symposium"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1186\/s42400-020-00046-6","article-title":"A DGA domain names detection modeling method based on integrating an attention mechanism and deep neural network","volume":"3","author":"Ren","year":"2020","journal-title":"Cybersecurity"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"105400","DOI":"10.1016\/j.dib.2020.105400","article-title":"UMUDGA: A dataset for profiling algorithmically generated domain names in botnet detection","volume":"30","author":"Zago","year":"2020","journal-title":"Data Brief"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"106304","DOI":"10.1016\/j.dib.2020.106304","article-title":"Malicious and Benign Webpages Dataset","volume":"32","author":"Singh","year":"2020","journal-title":"Data Brief"},{"key":"ref_23","unstructured":"(2021, November 28). Rapid7 Labs. Available online: https:\/\/opendata.rapid7.com\/sonar.fdns_v2."},{"key":"ref_24","unstructured":"(2020, November 22). SANS Internet Storm Center. Available online: https:\/\/isc.sans.edu\/."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"107342","DOI":"10.1016\/j.dib.2021.107342","article-title":"DNS dataset for malicious domains detection","volume":"38","author":"Marques","year":"2021","journal-title":"Data Brief"},{"key":"ref_26","unstructured":"Brownlee, J. (2021, November 28). Data Preparation for Machine Learning: Data Cleaning, Feature Selection, and Data Transforms in Python. Available online: https:\/\/bd.zlibcdn2.com\/book\/16370100\/0383c0."},{"key":"ref_27","unstructured":"(2020, September 15). Scikit Learn. Available online: https:\/\/scikit-learn.org\/stable\/."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Srikanth Yadav, M., and Kalpana, R. (2019, January 18\u201328). Data preprocessing for intrusion detection system using encoding and normalization approaches. Proceedings of the 11th International Conference on Advanced Computing, ICoAC 2019, Chennai, India.","DOI":"10.1109\/ICoAC48765.2019.246851"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Sathya Durga, V., and Jeyaprakash, T. (2019, January 17\u201319). An Effective Data Normalization Strategy for Academic Datasets using Log Values. Proceedings of the 4th International Conference on Communication and Electronics Systems, ICCES 2019, Coimbatore, India.","DOI":"10.1109\/ICCES45898.2019.9002089"},{"key":"ref_30","unstructured":"Akanbi, O.A., Amiri, I.S., and Fazeldehkordi, E. (2021, November 28). A Machine-Learning Approach to Phishing Detection and Defense. Available online: https:\/\/www.sciencedirect.com\/book\/9780128029275\/a-machine-learning-approach-to-phishing-detection-and-defense?via=ihub=."},{"key":"ref_31","unstructured":"(2021, July 02). Recursive Feature Elimination\u2014Yellowbrick v1.3.post1 Documentation. Available online: https:\/\/www.scikit-yb.org\/en\/latest\/api\/model_selection\/rfecv.html."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"365","DOI":"10.2174\/138920209789177629","article-title":"Performance of Feature Selection Methods","volume":"10","author":"Dougherty","year":"2009","journal-title":"Curr. Genom."},{"key":"ref_33","first-page":"462","article-title":"Intrusion detection model using fusion of chi-square feature selection and multi class SVM","volume":"29","year":"2017","journal-title":"J. King Saud Univ. Comput. Inf. Sci."},{"key":"ref_34","unstructured":"(2021, May 06). Sklearn.feature_selection.SelectKBest\u2014Scikit-Learn 0.24.2 Documentation. Available online: https:\/\/scikit-learn.org\/stable\/modules\/generated\/sklearn.feature_selection.SelectKBest.html."},{"key":"ref_35","unstructured":"Adankon, M.M., and Cheriet, M. (2021, November 28). Support Vector Machine. Available online: https:\/\/link.springer.com\/referenceworkentry\/10.1007%2F978-1-4899-7488-4_299."},{"key":"ref_36","unstructured":"(2021, May 07). 1.4. Support Vector Machines\u2014Scikit-Learn 0.24.2 Documentation. Available online: https:\/\/scikit-learn.org\/stable\/modules\/svm.html."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"90","DOI":"10.15642\/mantik.2019.5.2.90-99","article-title":"Comparison of Kernel Function on Support Vector Machine in Classification of Childbirth","volume":"5","author":"Intan","year":"2019","journal-title":"J. Mat. MANTIK"},{"key":"ref_38","unstructured":"(2021, August 05). Advantages and Disadvantages of Linear Regression. Available online: https:\/\/iq.opengenus.org\/advantages-and-disadvantages-of-linear-regression\/."},{"key":"ref_39","unstructured":"Balakrishnama, S., and Ganapathiraju, A. (2021, November 28). Linear Discriminant Analysis\u2014A Brief Tutorial. Available online: http:\/\/datajobstest.com\/data-science-repo\/LDA-Primer-[Balakrishnama-and-Ganapathiraju].pdf."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"195","DOI":"10.1109\/TNN.2002.806647","article-title":"Face Recognition Using LDA-Based Algorithms","volume":"14","author":"Lu","year":"2003","journal-title":"IEEE Trans. Neural Netw."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/s10916-019-1504-1","article-title":"Automatic Detection of Epileptic Seizures in EEG Using Sparse CSP and Fisher Linear Discrimination Analysis Algorithm","volume":"44","author":"Fu","year":"2020","journal-title":"J. Med. Syst."},{"key":"ref_42","unstructured":"Elnasir, S., and Mariyam Shamsuddin, S. (2021, November 28). Palm Vein Recognition Based on 2D-Discrete Wavelet Transform and Linear Discrimination Analysis Big Data Review View Project Knowledge Management for Adaptive Hypermedia Learning System View Project. Available online: http:\/\/home.ijasca.com\/data\/documents\/3_Selma.pdf."},{"key":"ref_43","unstructured":"(2021, August 22). kNN Definition|DeepAI. Available online: https:\/\/deepai.org\/machine-learning-glossary-and-terms\/kNN."},{"key":"ref_44","unstructured":"Hassanat, A.B., Abbadi, M.A., Altarawneh, G.A., and Alhasanat, A.A. (2021, November 28). Solving the Problem of the K Parameter in the KNN Classifier Using an Ensemble Learning Approach. Available online: https:\/\/arxiv.org\/abs\/1409.0919."},{"key":"ref_45","unstructured":"(2021, May 27). Sklearn.neighbors.KNeighborsClassifier\u2014Scikit-Learn 0.24.2 Documentation. Available online: https:\/\/scikit-learn.org\/stable\/modules\/generated\/sklearn.neighbors.KNeighborsClassifier.html."},{"key":"ref_46","unstructured":"(2021, August 15). 1.10. Decision Trees\u2014Scikit-Learn 0.24.2 Documentation. Available online: https:\/\/scikit-learn.org\/stable\/modules\/tree.html."},{"key":"ref_47","unstructured":"(2021, July 12). 1.9. Naive Bayes\u2014Scikit-Learn 0.24.2 Documentation. Available online: https:\/\/scikit-learn.org\/stable\/modules\/naive_bayes.html."},{"key":"ref_48","unstructured":"(2021, August 22). Sklearn.Model_Selection.Cross_Validate\u2014Scikit-Learn 0.24.2 Documentation. Available online: https:\/\/scikit-learn.org\/stable\/modules\/generated\/sklearn.model_selection.cross_validate.html."},{"key":"ref_49","unstructured":"(2021, August 20). Claudioti\/Machine-Learning. Available online: https:\/\/github.com\/claudioti\/machine-learning."},{"key":"ref_50","unstructured":"(2021, July 05). TPOT. Available online: http:\/\/epistasislab.github.io\/tpot\/."},{"key":"ref_51","unstructured":"Marques, C. (2021, September 15). Dataset Creator. Available online: https:\/\/github.com\/claudioti\/dataset-creator."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/13\/12\/309\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:38:06Z","timestamp":1760168286000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/13\/12\/309"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,30]]},"references-count":51,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2021,12]]}},"alternative-id":["fi13120309"],"URL":"https:\/\/doi.org\/10.3390\/fi13120309","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2021,11,30]]}}}