Skip to main content
The generate_DGA() function generates and tests connections to Domain Generation Algorithm (DGA) style domains. DGA is a technique used by malware to dynamically create domain names for command & control servers, making them harder to block.

What are DGA Domains?

Domain Generation Algorithms create pseudo-random domain names that malware uses to contact command & control (C2) servers. This technique makes it difficult to block malicious domains because:
  • Thousands of domains can be generated from a single algorithm
  • Attackers only need to register a few domains from the generated list
  • Traditional blocklists become ineffective
  • Detection requires behavioral analysis and pattern recognition
DGA domains are commonly used by advanced malware families including Conficker, Cryptolocker, Zeus, and many modern ransomware variants.

How It Works

1

Select TLD

Chooses from top-level domains commonly abused in cybercrime (based on Netcraft data).
tld_list = ['xyz', 'top', 'zone', 'info', 'biz', 'gq', 'tk', 'club']
# Source: https://trends.netcraft.com/cybercrime/tlds
2

Generate Random Domain

Creates a random domain name with 5-15 lowercase characters, mimicking DGA patterns.
for _ in range(1, 15):
    tld = random.choice(tld_list)
    domain_length = random.randint(5, 15)
    domain_name = ''.join(random.choices(string.ascii_lowercase, k=domain_length))
    dga = f'{domain_name}.{tld}'
    sampleDGA.append(dga)
3

Socket Connection Testing

Attempts socket connections to generated domains on ports 80 and 443.
ports = [80, 443]
for ip in sampleDGA:
    for port in ports:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        result = sock.connect_ex((ip, port))
4

Results Logging

Logs all connection attempts to DGA_Results.txt with special notation that these are generated domains.

High-Risk TLDs

The test uses TLDs with high cybercrime association rates:
  • .xyz - Popular for malicious campaigns
  • .top - Frequently used in phishing
  • .zone - Common in malware infrastructure
  • .info - Historical abuse in spam/malware
  • .biz - Used in various malicious campaigns
  • .gq - Free TLD often abused
  • .tk - Free TLD with high abuse rates
  • .club - Emerging malicious usage
These TLDs are chosen based on Netcraft’s cybercrime trends analysis: https://trends.netcraft.com/cybercrime/tlds

Output Format

Results are saved to DGA_Results.txt with the following format: 
Timestamp:14:45:10 IP:xjklmnqrs.xyz : Port:80 tested (Actual DGA generated by script, so the domain even may not exist BUT look if your FW or IPS detected the request and tagged it)
Timestamp:14:45:15 IP:abcdefgh.top : Port:443 tested (Actual DGA generated by script, so the domain even may not exist BUT look if your FW or IPS detected the request and tagged it)

def generate_DGA():
    tld_list = ['xyz', 'top', 'zone', 'info', 'biz', 'gq', 'tk', 'club']
    sampleDGA = []
    for _ in range(1, 15):
        tld = random.choice(tld_list)
        domain_length = random.randint(5, 15)
        domain_name = ''.join(random.choices(string.ascii_lowercase, k=domain_length))
        dga = f'{domain_name}.{tld}'
        sampleDGA.append(dga)
    myFile = open("DGA_Results.txt", mode="a+")
    ports = [80, 443]
    for ip in tqdm(sampleDGA, desc="Testing samples, Results saved at DGA_Results.txt"):
        for port in ports:
            try:
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                sock.settimeout(5)
                result = sock.connect_ex((ip, port))
                if result == 0:
                    current_time = time.strftime("%X")
                    resultUP = (
                        f"Timestamp:{str(current_time)} IP:{str(ip)} : Port:{str(port)}"
                        + " tested (Actual DGA generated by script, so the domain even may not exist BUT look if your FW or IPS detected the request and tagged it)\n"
                    )
                    myFile.write(resultUP)
                else:
                    current_time = time.strftime("%X")
                    resultDOWN = (
                        f"Timestamp:{str(current_time)} IP:{str(ip)} : Port:{str(port)}"
                        + " tested (Actual DGA generated by script, so the domain even may not exist BUT look if your FW or IPS detected the request and tagged it)\n"
                    )
                    myFile.write(resultDOWN)
                sock.close()
            except Exception as e:
                current_time = time.strftime("%X")
                resultDOWN = (
                    f"Timestamp:{str(current_time)} IP:{str(ip)} : Port:{str(port)}"
                    + " tested (Actual DGA generated by script, so the domain even may not exist BUT look if your FW or IPS detected the request and tagged it)\n"
                )
                myFile.write(resultDOWN)
                continue

What to Monitor

DNS Query Patterns

Look for DNS queries to randomly-named domains with high-risk TLDs - a key DGA indicator.

NXDOMAIN Responses

High volumes of NXDOMAIN (non-existent domain) responses may indicate DGA activity.

Behavioral Detection

Advanced security tools should flag DGA patterns based on entropy analysis and algorithmic detection.

Threat Intelligence

Correlate detected domains with known DGA families and malware signatures.

Detection Techniques

DGA domains typically have high entropy (randomness) compared to legitimate domains:
  • Legitimate: accounts.google.com (low entropy)
  • DGA: xjklmnqrstuv.xyz (high entropy)
Security tools can calculate domain entropy to identify potential DGA activity.
Machine learning models analyze:
  • Character distribution patterns
  • N-gram frequency analysis
  • Domain length distributions
  • Consonant/vowel ratios
  • Dictionary word presence
Monitor for:
  • Rapid successive DNS queries to random domains
  • Multiple NXDOMAIN responses
  • Queries concentrated in specific TLDs
  • Periodic query patterns (timed C2 callbacks)
Flag domains using high-risk TLDs combined with:
  • Short domain age
  • Lack of WHOIS information
  • No web content
  • Fast flux DNS patterns
Important: The domains generated by this test are randomly created and may not actually exist. The goal is to test if your security controls can DETECT the DGA pattern behavior, not necessarily block the domains.Successful detection appears in:
  • IDS/IPS alerts for DGA patterns
  • DNS security logs flagging suspicious queries
  • SIEM correlation rules triggering on DGA indicators

Testing Workflow

# Run Somnium and select option 6
python main.py
# Choose: #6 Test connection to Domain-Generated-Algorithm Domains

# Review results
cat DGA_Results.txt

# Check security detection
# - IDS/IPS alerts for DGA patterns
# - DNS security logs for suspicious queries
# - SIEM correlation for behavioral anomalies
# - Machine learning model detections

Malware Families Using DGA

Common malware families that employ DGA techniques:
  • Conficker - One of the first widespread DGA implementations
  • Cryptolocker - Ransomware using DGA for C2
  • Zeus/Gameover Zeus - Banking trojan with DGA C2
  • Necurs - Botnet with sophisticated DGA
  • Ramnit - Banking trojan using DGA domains
  • Matsnu - Advanced DGA implementation
  • Torpig - Early DGA-based malware
  • Suppobox - Modern DGA variant

Security Controls to Validate

  • DNS Security Services - Should flag DGA patterns using entropy analysis
  • IDS/IPS Systems - Should detect DGA-style DNS queries
  • Machine Learning Tools - Should classify domains as algorithmically generated
  • SIEM Correlation - Should alert on multiple NXDOMAIN responses
  • Threat Intelligence - Should match patterns against known DGA families
  • Sandbox Analysis - Should identify DGA behavior in malware samples
This test generates 14 random DGA-style domains and tests connections on 2 ports each (28 total attempts). Most domains won’t exist, but security tools should still detect the suspicious query patterns.

Expected Security Response

Proper DGA detection should:
  1. DNS Layer - Flag queries based on entropy and pattern analysis
  2. Network Layer - Alert on unusual DNS query volumes and patterns
  3. Endpoint Layer - Detect processes making DGA-style DNS requests
  4. SIEM Layer - Correlate multiple DGA indicators for investigation

Build docs developers (and LLMs) love

Get started for freeTalk to us