Family Classification in PDNS-App

Families and Risks

Risks of Nameserver (NS) Domains

PDNS-App uses a system of classification families to label domains observed or blocked through Protective DNS, RPZ, external feeds, proprietary telemetry, and historical correlation.

These families do not necessarily represent active real-time malware, but rather the risk, behavior, or context associated with the domain from the perspective of DNS control, prevention, and operational analysis.

The most common families are briefly described below.

General Families

malware: Domain directly associated with malware distribution, payloads, command-and-control (C2) infrastructure, or confirmed malicious downloads.
malicious: Generic category for clearly malicious domains when no more specific family exists or the source does not allow greater precision.
suspicious: Domain with anomalous behavior or signs of risk, but without sufficient confirmation to classify it as active malware.
unknown: Domain observed in real traffic or external feeds without enough information for a conclusive classification.
undetected: Domain previously associated with malicious activity but currently showing no active signs. A natural delay may exist between remediation and source updates.
unwanted: Domain not necessarily malicious, but associated with intrusive, deceptive, or unwanted practices from the end-user perspective.

Advertising, Tracking, and Monetization

adware: Domain related to aggressive advertising software, forced redirects, or unwanted installations.
adult_ads: Advertising infrastructure focused on adult content, deceptive affiliation, or aggressive monetization. It does not necessarily imply malware, but commonly appears in low-quality campaigns.
tracker: Domain dedicated to user tracking, fingerprinting, or behavioral correlation beyond legitimate analytics.
telemetry: Infrastructure used for collecting data, metrics, or events. It may be legitimate or abusive depending on the context.
malvertising: Advertising infrastructure used to distribute malware, malicious redirects, or exploits.
traffic_distribution: Traffic Distribution Systems (TDS) infrastructure used to redirect traffic between multiple destinations according to dynamic rules (geolocation, user-agent, reputation, timing). It is commonly used in malvertising, phishing, and loader campaigns.

Specific Threats

phishing: Domain designed to impersonate legitimate services in order to steal credentials, financial information, or personal data.
credential_phishing: Specific phishing subcategory focused exclusively on credential theft (SSO, email, VPN, cloud, routers, etc.). Frequent use of lookalike domains and ephemeral subdomains.
dga: Algorithmically generated domain (Domain Generation Algorithm), typical of botnets and malware rotating domains to evade blocking.
botnet: Infrastructure associated with networks of compromised devices used for DDoS, spam, scanning, or remote control.
badbox_botnet: Botnet associated with Android devices, TV boxes, or other IoT devices compromised at factory level or through sideloading.
vo1d_botnet: Botnet mainly observed in IoT devices and routers, with heavy use of DGA and rotating infrastructure.
banking_trojan: Domains associated with banking malware families (for example, TinyNuke or Nymaim), which commonly use Domain Generation Algorithms (DGA) for command and control (C2). DNS queries to these domains indicate infected or poorly remediated systems, even when the malicious infrastructure is no longer active.

RATs and Stealers

rat: General category for domains associated with Remote Access Trojans.
netsupportmanager_rat: Infrastructure associated with abuse of NetSupport Manager, a legitimate remote access tool frequently used in phishing campaigns and initial compromise operations. It commonly operates without exploits, relying on social engineering.
quasar_rat: Infrastructure linked to Quasar RAT malware, commonly seen in Windows environments and persistent remote access campaigns.
async_rat: Domain associated with AsyncRAT, frequently used for espionage, information theft, and remote control.
njrat: Infrastructure related to njRAT, common in opportunistic campaigns and regional targeting.
stealer: Domains used by malware specialized in stealing credentials, cookies, wallets, or sensitive information.
lumma_stealer: Specific infrastructure associated with Lumma Stealer, frequently distributed through malvertising and loaders.

Infrastructure and Abuse

infrastructure_abuse: DNS infrastructure or domains used in an abusive manner but not necessarily malicious by themselves. Includes routers, IoT devices, OEM firmware, management portals, domains with massive volumes of subdomains without clear semantics, and exposed services generating high operational noise.
high_abuse_registrar: Domains registered through registrars with a recurring history of abuse, fast-flux, or poor response to takedown requests.
cobaltstrike: Infrastructure associated with Cobalt Strike, either through abused legitimate usage or malicious implants operated by attackers.
tofsee: Infrastructure related to the Tofsee botnet, historically used for spam, proxying, and malware distribution.
servfail_attack: Domain or pattern used to trigger resolution failures, amplification, or deliberate degradation of DNS services.
apt_infrastructure: Domains and network infrastructure directly controlled by an Advanced Persistent Threat (APT) actor, used to enable attacks such as DNS manipulation, traffic redirection, update hijacking, component staging, or command-and-control (C2) communications, even when the domain does not directly host malicious payloads.

Lists and External Sources

misp: Domain imported from a MISP instance. Classification may depend on the original event, attribute, or feed.
event_related_malware: Domain linked to a specific event (campaign, incident, operation) rather than a persistent family.
banned: Domain blocked due to external or regulatory policies (for example, vendor lists such as Kaspersky).

Adult Content

porn: Domain containing adult or explicit content. It does not imply malware, but may be blocked due to content policy or compliance.

Visual Classification for the Portal

Tracker

Domains associated with advertising tracking and user correlation. They do not represent direct technical compromise.

UI Severity: Green
Technical Risk: Low
Common blocking reason: privacy, compliance, internal policy

Telemetry

Infrastructure for collecting metrics, events, or service usage. It may be legitimate or excessive depending on the context.

UI Severity: Amber
Technical Risk: Low to Medium
Common blocking reason: data control, operational noise

Malware (Real Threats)

Domains associated with confirmed active threats, including malware, phishing, botnets, and C2 infrastructure.

UI Severity: Red
Technical Risk: High / Critical
Common blocking reason: immediate security

Family Comparison (Summary)

Family	Severity	Risk	Description
`tracker`	Green	Low	Advertising tracking and user correlation
`telemetry`	Amber	Low / Medium	Collection of metrics and events
`malware`	Red	High	Active threat with direct security impact

Advertising and Tracking Platforms (AdTech)

Some domains classified within the tracker family correspond to legitimate advertising technology (AdTech) platforms.

Common examples include GumGum, Criteo, DoubleClick, Taboola, Outbrain, and Quantcast.

These platforms enable online advertising, audience measurement, identifier synchronization, and content recommendation. They are not considered malware, but they involve large-scale tracking of user behavior.

From the perspective of Protective DNS, blocking these domains is related to privacy decisions, regulatory compliance, or internal policies, rather than a direct technical threat.

Operational Notes

A domain may change family over time.
PDNS-App prioritizes DNS prevention over antivirus classification.
Families enable differentiated policies, reporting, and historical analysis.
The absence of a specific family does not imply safety, only a lack of sufficient evidence.