Survey and Analysis of DNS Filtering Components
Jonathan Magnusson
TL;DR
This survey analyzes DNS resolver filtering through three core techniques: Response Policy Zones (RPZ), Threat Intelligence Feeds (TIF), and Domain Generation Algorithm (DGA) detection. It synthesizes trends, strengths, and limitations across 2018–2023, highlighting gaps such as the sparse integration of RPZ with TIF and challenges in detecting unknown DGAs. The methodology systematically reviews 22 papers from three major databases, and the authors propose an open-source framework that combines RPZ, TIF, and DGA detection with privacy-preserving sharing and explainable AI to improve effectiveness and trust. The work provides a practical roadmap for future research and framework design aimed at more robust, transparent, and scalable DNS filtering.
Abstract
The Domain Name System (DNS) comprises name servers translating domain names into, commonly, IP addresses. Authoritative name servers hosts the resource records (RR) for certain zones, and resolver name servers are responsible for querying and answering DNS queries on behalf of their clients. Unfortunately, cybercriminals often use DNS for malicious purposes, such as phishing, malware distribution, and botnet communication. To combat these threats, filtering resolvers have become increasingly popular, employing various techniques to identify and block malicious requests. In this paper, we survey several techniques to implement and enhance the capabilities of filtering resolvers including response policy zones, threat intelligence feeds, and detection of algorithmically generated domains. We identify the current trends of each area and find missing intersections in the literature, which could be used to improve the effectiveness of filtering resolvers. In addition, we propose future work designing a framework for filtering resolvers using state-of-the-art approaches identified in this study.