Domain Intelligence is becoming a critical component in modern cybersecurity, and the Domain Intelligence & Behaviour System (DIBs) directly addresses this need. As attackers increasingly exploit DNS infrastructure for phishing, malware distribution, and large-scale campaigns, organizations require a proactive approach to understanding and detecting malicious domains.
Traditional security methods rely heavily on reactive detection. As a result, malicious domains often get identified only after they have already been used in attacks. This delay creates a significant security gap.
However, DIBs takes a different approach. Instead of waiting for threats to appear, it actively explores the domain space to uncover potential risks before they become operational.
The Problem with Traditional DNS Intelligence
Most DNS-based detection systems depend on passive data. For example, they monitor known domains, analyze DNS logs, or rely on external threat feeds.
However, this approach has a major limitation.
If no one queries a domain, it does not appear in passive datasets. Therefore, attackers can register domains in advance and keep them hidden until they are ready to launch attacks.
In contrast, DIBs treats DNS as an active search space rather than a passive dataset. As a result, it significantly improves visibility into unseen threats.
Before diving deeper, it helps to understand the fundamentals of how DNS works. If you haven’t read our previous article “DNS?? why it’s so special”, we recommend going through it first. It provides the foundational knowledge needed to fully understand the concepts discussed here.
What is DIBs?
The Domain Intelligence & Behaviour System (DIBs) is a high-throughput framework built for large-scale Domain Intelligence operations.
It operates as a continuous pipeline with three main functions:
- Domain generation
- DNS resolution
- Intelligence extraction
Because of this pipeline design, the system can process large datasets efficiently while maintaining structured output.
Domain Mutation Analysis
At its core, DIBs uses domain mutation techniques to simulate attacker behaviour.
Specifically, it generates domain variations using:
- Typosquatting
- Bitsquatting
- Combosquatting
- Homograph attacks
- Subdomain variations
- Phonetic transformations
As a result, the system explores a massive domain space.
According to the whitepaper:
- 330,576 domains were generated
- 12,860 domains resolved
- Resolution rate: 3.9%
Although the resolution rate seems low, it is actually expected. More importantly, the resolved domains represent active infrastructure.
DNS Behaviour Analysis at Scale
After generating domains, DIBs performs DNS Behaviour Analysis.
To ensure stability, the system uses:
- Rate-limited queries
- Retry mechanisms
- Worker pools
- Caching systems
Because of these controls, the system avoids overwhelming DNS infrastructure.
At the same time, it maintains consistent throughput.
Intelligence Extraction
Once domains resolve, the system enriches them with additional data.
For instance, it collects:
- WHOIS information
- DNS records (A, MX, NS, TXT, etc.)
- ASN mapping
- Hosting provider details
Consequently, raw DNS data becomes structured threat intelligence.
The detailed pipeline flow is illustrated in the whitepaper diagrams (pages 3–7) .
ASN Clustering and Correlation
One of the most powerful features of DIBs is ASN clustering.
Instead of analyzing domains individually, the system groups them based on shared infrastructure.
For example:
- Same IP address
- Same ASN
- Same hosting provider
Therefore, analysts can identify patterns that are otherwise invisible.
As a result, this enables:
- Campaign detection
- Infrastructure tracking
- Threat correlation
Key Findings from the Research
The whitepaper reveals several important insights.
Infrastructure Concentration
Most domains were hosted on major cloud providers such as AWS and Cloudflare.
This indicates that attackers prefer scalable infrastructure.
Domain Parking Strategy
Many domains were linked to parking services.
Therefore, attackers likely register domains in advance and activate them later.
TLD Distribution
The most common domains included:
- .com
- .in
- .net
- .org
- .xyz
This reflects both global and regional targeting.
Human-Readable Domains Work Better
Although mutation techniques generate volume, readable domains perform better.
For instance:
- login-
- secure-
- verify-
These increase trust and improve attack success rates.
DNSSEC Absence
None of the domains used DNSSEC.
This suggests low security standards and temporary infrastructure.
Performance and Stability
The system maintained stable performance throughout execution.
- Runtime: ~11 hours
- Throughput: 15–25 QPS
- Memory stabilized after peak
Moreover, no major instability was observed.
Limitations
DIBs also has some limitations.
For example:
- Adaptive control is not fully integrated
- Intel pipeline parallelism is limited
- Redis dependency exists
However, these are expected trade-offs and future improvements.
Why Domain Intelligence Matters
At this point, the importance of Domain Intelligence becomes clear.
A proactive approach allows security teams to:
- Detect threats earlier
- Understand infrastructure patterns
- Reduce response time
Therefore, organizations gain a significant advantage over attackers.
Read the Full Whitepaper
For a complete technical breakdown, refer to the original whitepaper.
https://cdn.official-biswadeb941.in/pdf/DIBs-Whitepaper-v1.0.1.pdf
Conclusion
Domain Intelligence is no longer optional in modern cybersecurity.
A system like DIBs enables proactive detection, infrastructure visibility, and better threat understanding.
Ultimately, the ability to explore and analyse domain space before attacks occur gives defenders a critical edge.
References
- Domain Intelligence & Behaviour System (DIBs) – Technical Whitepaper
https://cdn.official-biswadeb941.in/pdf/DIBs-Whitepaper-v1.0.1.pdf - Domain Intelligence & Behaviour System (DIBs) – Source Code
https://github.com/Mr-Biswadeb-Mukherjee/DIBs - Domain Name System (DNS) Concepts (RFC 1034)
https://datatracker.ietf.org/doc/html/rfc1034 - DNS Implementation Specification (RFC 1035)
https://datatracker.ietf.org/doc/html/rfc1035 - DNS Security Extensions (DNSSEC) Overview
https://datatracker.ietf.org/doc/html/rfc4033 - Jaro-Winkler String Similarity (Overview)
https://en.wikipedia.org/wiki/Jaro%E2%80%93Winkler_distance - Shannon Entropy in Information Theory
https://en.wikipedia.org/wiki/Entropy_(information_theory) - Registration Data Access Protocol (RDAP)
https://datatracker.ietf.org/doc/html/rfc7480 - Understanding Autonomous Systems (ASN)
https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/
Leave a Reply