2025-10-21 –, Europe
DNS gives a unique vantage point for phishing detection. In my presentation We will show how we use it at CERT.PL to search for phishing domains in .pl Top Level Domain, but also more universally as our contribution to the DNS4EU project – an entirely European DNS resolver. We will discuss using various parts of DNS ecosystem as observation points. Then show how we applied standard heuristics and machine learning/AI methods to get some good detection results.
DNS (Domain Name System) is one of the cornerstones of the internet. Its various parts create a rather complex, interconnected ecosystem, with many observation points for phishing detection. Some of those are covered by CERT.PL monitoring systems as our contribution to the DNS4EU project – an entirely European DNS resolver.
In our presentation we will show our three approaches for phishing detection. Firstly, how we identify new phishing domains in .pl by looking into DNS registry data. Secondly, We will show how we monitor DNS requests at .pl TLD nameserver level for early phishing campaign detection. Thirdly, we will present how we analyze requests at resolver level in order to detect phishing at various TLDs.
We will discuss when we use rule based approach/heuristics, and when we decided to use machine learning/AI methods to boost our analytics. We will talk about pros and cons of our systems, and how good they are on phishing detection.
Piotr Białczak is a researcher at CERT.PL. His professional interests include network traffic analysis, phishing detection, and applying machine learning to security problems.
Michał Hałoń works as an AI expert at NASK - National Research Institute, where he focuses on phishing detection and the practical application of machine learning algorithms. In his free time, he enjoys creating educational content on the fundamentals of machine learning.