New Subdomain Reputation Detection for DNS Security

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker

Palo Alto Networks has added a new detection for DNS Security called Subdomain Reputation which is available as part of Grayware Category.  


What is Subdomain Reputation and why does it matter?


Cybercriminals often leverage subdomains of popular web hosting or dynamic domain name system (DDNS) services to host and distribute malicious content. This method provides attackers a cheaper alternative to register their own domains  and easily evade traditional security defenses with reputable domains of these hosting services. 


Given the benefits of this method, attackers are increasingly using subdomains of apex public domains to carry out targeted attacks like phishing, malware distribution and command and control.  As of December, 2022, Palo Alto Networks observed an alarming number of malicious domains (4.8%), which are the subdomains of well-known web hosting services. 


Case Study: Roaming Mantis Campaign


The Roaming Mantis campaign is a  SMS Phishing campaign targeting mobile users across the globe. Attackers used several subdomains of dynamic DNS services, such as duckdns[.]org,  to distribute malware and steal credentials.



Free Robux Generator:


Roblox is an online gaming platform that allows users to purchase Roblox currency – called Robux – to access certain perks in the Roblox virtual world. Since the middle of December 2022, our detection system has identified over 3,000 subdomains of Blogspot being abused to serve phishing campaign scamming Roblox users with free Robux upon performing tasks like installing software, entering a contest to win money, or using a tool to monitor credit scores.


How does a detection engine with ML models help identify, detect and prevent attacks due to Subdomain Reputation?


Identifying malicious subdomains requires new methods compared to traditional malicious domain detection that leverage tools like WHOIS for domain level information like when and who registered the domain but lacks similar information at subdomain level. Palo Alto Network’s new subdomain detector focuses on subdomains of a half dozen public apex domains chosen for evaluation largely based on how often their subdomains are reported by our other detectors. It identifies an average of over 300 high-risk subdomains per day. On these subdomains, we use advanced ML-powered analytics like domain reputation, distribution of characters in domain name, web page behavior like redirection and so on that enables us to detect and block with  high confidence subdomains used for malicious purposes. 


When will the Subdomain Reputation detection be available in DNS Security?


Subdomain Reputation detection is released under the DNS Grayware category, which is part of the PAN-OS 10.0 release. So, customers with PAN-OS 10.0 or later are able to benefit from this new detection through simple content update. Customers can sinkhole, block, or alert this new detection based on their policy for handling Grayware. The default action for the Grayware category is “block” on the different NGFW form factors and “sinkhole” on Prisma Access. 


There are no configuration changes or actions required by customers unless there is a need to change the default action of Grayware category. 


Below is the snippet of how subdomain reputation entries appear in the threat log of the firewall:




Read more about DNS.


1 Comment
  • 324 Subscriptions
Register or Sign-in