2025-10-21 –, Europe
DNS gives a unique vantage point for phishing detection. In my presentation I will show how we use it at CERT.PL to search for phishing domains in .pl Top Level Domain, but also more universally as our contribution to the DNS4EU project – an entirely European DNS resolver. I will discuss using various parts of DNS ecosystem as observation points. Then show how we applied standard heuristics and machine learning/AI methods to get some good detection results.
DNS (Domain Name System) is one of the cornerstones of the internet. Its various parts create a rather complex, interconnected ecosystem, with many observation points for phishing detection. Some of those are covered by CERT.PL monitoring systems as our contribution to the DNS4EU project – an entirely European DNS resolver.
In my presentation I will show our three approaches for phishing detection. Firstly, how we identify new phishing domains in .pl by looking into DNS registry data. Secondly, I will show how we monitor DNS requests at .pl TLD nameserver level for early phishing campaign detection. Thirdly, I will present how we analyze requests at resolver level in order to detect phishing at various TLDs.
I will discuss when we use rule based approach/heuristics, and when we decided to use machine learning/AI methods to boost our analytics. I will talk about pros and cons of our systems, and how good they are on phishing detection.
Piotr Białczak is a researcher at CERT.PL. His professional interests include network traffic analysis, phishing detection, and applying machine learning to security problems.