What Is a Domain Generation Algorithm (DGA)?

Why Attackers Use DGAs

Static C2 domains are easy to block: defenders find one, blacklist it, malware loses contact. DGAs invert the math. The malware and the operator share a seed (often a date plus a secret); both can derive the same domain list independently. The operator only needs to register a handful of upcoming domains to keep the bots phoning home.

What DGA Domains Look Like

Most DGA output is statistically obvious. Domains tend to be:

• Long (12–25 characters), random-looking strings.
• Non-pronounceable — high entropy, low n-gram probability.
• Heavily concentrated in low-cost TLDs (.top, .xyz, .info).
• Registered in bulk minutes apart, often through the same registrar.
• Resolving briefly then disappearing, leaving short DNS histories.

Notable DGA Families

Conficker popularized large-scale DGAs in 2008. Since then DGAs have appeared in dozens of families: Necurs, Pykspa, Bedep, Suppobox, CryptoLocker, Mirai, Qakbot. Most modern banking trojans and botnets ship with a DGA fallback even when they have a static C2.

How DGA Domains Are Detected

• Statistical analysis — entropy and n-gram features in the hostname string.
• Behavioral clustering — bursts of newly registered short-lived domains.
• ML classifiers — trained on known DGA samples and benign domains.
• Pivoting on infrastructure — DGA registrations often share registrar, nameserver, and timing patterns.

DGAs in Whisper

Whisper sees the registration burst, the brief DNS resolution, and the upstream infrastructure all in the same graph. Analysts can ask "show me newly registered domains in the last 48 hours that match this DGA family's entropy profile" and pivot directly to the operator's registrar and nameserver footprint.