Skip to content
Log in

Domain generation algorithm (DGA)

Definition

Code embedded in malware that produces a large set of pseudo-random domain names on a scheduled basis. The malware tries each until one resolves, connecting it to command-and-control infrastructure even if most of the domain list has been blocked.

Related terms

A record
A DNS resource record that maps a domain name to an IPv4 address. The primary attribution record in most investigations. An AAAA...
DNS tunnelling
Encoding data inside DNS queries and responses to exfiltrate information or carry command-and-control traffic through a network that permits DNS but blocks...
Fast-flux
An evasion technique in which a domain's A records cycle through a large pool of IP addresses with very short TTL values....
Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
MISP (Malware Information Sharing Platform)
An open-source threat intelligence platform that enables structured sharing of IOCs and threat intelligence using STIX and other formats. Widely deployed by...
Passive DNS
A historical database of DNS resolutions collected by sensors at recursive resolvers or network taps. Passive DNS shows which IP addresses a...
Pyramid of Pain
A model proposed by David Bianco that ranks IOC types by the cost to an attacker of changing them when defenders start...
STIX (Structured Threat Information eXpression)
An OASIS open standard that defines a JSON-based language for describing cyber threat intelligence. STIX 2.1 defines objects for indicators, threat actors,...
TAXII (Trusted Automated eXchange of Intelligence Information)
The transport protocol companion to STIX. TAXII defines how STIX data is exchanged between servers and clients over HTTPS, enabling automated ingestion...
WHOIS
A query protocol that returns registration data for a domain, including registrant name, organisation, email, nameservers, and registration and expiry dates. Since...

Explained in these topics

  • DNS and Domain InvestigationCode embedded in malware that produces a large set of pseudo-random domain names on a scheduled basis. The malware tries each until one resolves, connecting it...
  • Indicators of Compromise: Identification and UseA technique used by malware to generate large numbers of candidate command-and-control domain names algorithmically, making it impractical to block the attacke...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account