Using NetFlow to measure the impact of deploying DNS-based blacklists

Research output: Contribution to book/anthology/report/conference proceedingArticle in proceedingResearchpeer-review


To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.
Original languageEnglish
Title of host publicationLecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering : Security and Privacy in Communication Networks. SecureComm 2021.
EditorsJoaquin Garcia-Alfaro, Shujun Li, Radha Poovendran, Hervé Debar, Moti Yung
Number of pages21
Place of PublicationSpringer, Cham
Publication date3 Nov 2021
ISBN (Print)978-3-030-90018-2
ISBN (Electronic)978-3-030-90019-9
Publication statusPublished - 3 Nov 2021


  • Blacklist
  • DNS
  • ISP
  • Ipfix
  • Netflow
  • RBL
  • Threat intelligence


Dive into the research topics of 'Using NetFlow to measure the impact of deploying DNS-based blacklists'. Together they form a unique fingerprint.

Cite this