# Threat intelligence for real-time DNS defense: Process, feeds & response ## Operational Threat Intelligence for real-time DNS defense **DNS threat intelligence + DNS Detection and Response (DDR)** Plug trusted threat feeds directly into your DNS layer. Watch your DNS Firewall become a living shield—hunting threats, investigating IOCs, and quarantining impacted devices in real time, without you lifting a finger. ![DNS Security powered by DDI Central DNS threat intelligence + DNS Firewall+ DHCP quarantine](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/ddi_central_dns_threat_intelligence.jpeg) ## Consolidated threat insights Stop stitching data—see your threat landscape in a single view. Visualize the whole battlefield at a glance. ### Threats snapshot From numbers to narratives—see how threats striking your DNS landscape build, spread, and concentrate. ![Visual components](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/i1.png) - **Threat volume at a glance** Track total and daily DNS-layer threats to quantify exposure instantly. - **Trend lines that speak** Visualize threat growth over time with interactive charts for pattern recognition. - **Snapshot of risk distribution** See the top 5 threats dominating your landscape—quick triage made easy. - **Threat source clarity** Break down where queries are spiking, so admins know where attackers are concentrating efforts. - **Single pane of threat insight** All critical threat metrics surfaced on one screen—no need for swivel-chair analysis. - **Actionable context in real time** Prioritize response based on the most queried domains, not static assumptions. ### Impacted endpoints Attackers slip through DNS, but threat intelligence exposes every hidden mole that gave them a foothold—in the blink of an eye. ![Map layering](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/i2.png) - **Compromised devices exposed** See which internal IPs are generating malicious queries, revealing infected or suspicious hosts immediately. - **Connect threats to sources** Link devices directly to the external domains or IPs they queried—making attacker infrastructure visible. - **Visualize the spread with clarity** Snapshots and graphs segment top devices and sources, helping admins quickly gauge the infection scope across the network. - **Visualize trends over time** Spot recurring offenders or repeated queries, helping admins distinguish isolated hits from persistent compromises. ### Category and DNS footprints Decode the anatomy of attacks—by category, by record, by intent. ![Powerful dashboard builder](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/i3.png) - **Vendor-Curated categories, Admin-Ready context** Leverage TAXII feed classifications—malware, phishing, or C2—without rework, so admins immediately know what type of threat they’re dealing with. - **Uncover record-level abuse** See exactly which DNS record types (A, MX, TXT, etc.) are being weaponized, shining light on attacker tactics hidden in plain traffic. - **Spot where abuse concentrates** Identify the categories and record types most targeted, revealing attacker focus areas and informing smarter investigations. - **Spot shifts in attacker tactics** Track category and record-type trends over time to identify emerging behaviors—staying ahead of evolving threats. ### Risk stratification Your confidence compass—guiding you through the noise of countless IOCs. ![Powerful dashboard builder](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/i4.png) - **See risk concentration at a glance** Instantly visualize how many threats fall into critical, high, or medium categories—clear stratification without log-diving. - **Spot high-risk exposure zones** Quantify how much of your DNS traffic maps to top-severity threats, giving admins a sense of where their infrastructure is most exposed. - **Validate feed-driven confidence** Rely on vendor-assigned scores to know which threats are most credible—no need for manual vetting or guesswork. - **Track risk distribution over time** Use stratified counts to see whether high-confidence threats are rising or falling, helping gauge the shifting threat climate in your environment. ## Trusted multi-source threat intelligence From trusted vendors to curated Indicators of Compromise (IOCs) — a continuously vetted, real-time blocklist. ### Multi-vendor feed onboarding Curate your mix of threat intel—bring every feed under one roof, no portal shuffle. ![Visual components](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/d1.png) - **Centralized threat feed onboarding** Configure and manage multiple threat intelligence feeds—such as IBM X-Force, AlienVault, Cyware, and more—all from a unified, vendor-agnostic interface. - **Broader threat visibility** Onboarding multiple vendors ensures multifaceted intelligence, helping admins spot diverse threat vectors that a single source might miss. - **Reduced blind spots** Diversified feeds cross-validate each other, boosting confidence scores and minimizing reliance on any one vendor’s perspective. - **Bring your own intel** Easily onboard custom STIX/TAXII sources, including private, industry-specific, or partner-distributed feeds, enabling tailored and proactive DNS-layer threat prevention. - **Frictionless feed registration** Minimal setup effort—just choose your provider, enter endpoint credentials, and go live. No scripting, no third-party collectors, no custom parsers required. - **Always-On threat awareness** The toggle-based enablement ensures that once configured, feeds remain active continuously—helping ensure real-time updates with no manual intervention. ### Secure feed synchronisation Plug, Poll, Protect - Connect once, defend continuously with credentialed threat syncs. ![Map layering](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/d2.png) - **Deep integration with CloudDNS's threat intelligence engine** Leverage ManageEngine CloudDNS's advanced DNS threat intel engine, built for DDI Central, to deliver real-time IOCs directly into DNS enforcement workflows. - **Secure credentialed access** Use OAuth 2.0-based client ID and secret for secure, tokenized access—ensuring credential rotation, session isolation, and vendor-compliant data retrieval. - **Fine-Grained feed control** Adjust polling frequency with precision to control the cadence of threat syncs—hourly, daily, or custom—to align with DNS resolution freshness needs. - **Immediate threat feed activation** Instantly activate or pause the feed without losing your configuration—providing operational agility during maintenance windows or incident response. ### Unified feed management Consolidate, customize, and control your threat intelligence pipeline. ![Powerful dashboard builder](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/d3.png) - **All feeds. One command center.** Get a unified, real-time view of all threat intelligence sources—status, sync schedule, and vendor mapping—within a single dashboard. - **Live feed status, At a glance** Instantly verify which feeds are active, when they last synced, and when they’ll update next—no log diving or guesswork. - **Multi-vendor visibility, Side by side** Compare output from AlienVault, IBM X-Force, Kaspersky, or custom TAXII feeds in one place—helping validate coverage and catch gaps early. - **Precision scheduling for consistent protection** Schedule hourly or daily syncs per feed with confidence—keeping your DNS defenses in sync with the latest threat intelligence. - **Sync on demand, Stay current** Admins can trigger an immediate feed sync when the last update is stale, ensuring threat data freshness even outside scheduled intervals. - **Hands-on control over feed servers** Edit credentials, adjust polling intervals, or retire outdated or unrequired feed sources—giving admins policy-aligned control over every threat source without leaving the UI. ### Threat intelligence hub See threats before they strike — the Feed Hub as your watchtower, where every IOC flagged across vendors converge, clustered, classified, and confidence-rated for automated, intuitive blocking. ![Powerful dashboard builder](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/d4.png) - **One hub for every IOC** A single pane of glass for every domain and IP flagged across all your integrated threat-intelligence feeds—no vendor hopping, no data silos. - **Close the evasion gap** Block threats whether they use a domain or a raw IP—stopping C2, malware IPs and other malicious hosting that bypasses hostname-based filters and tightening enforcement fast. - **Rapid triage, Zero delay** Drill down by source type, vendor feed, category, or confidence score to isolate the handful of critical IOCs that matter most. Filter by confidence (90+, 95+) or a category to focus only on threats demanding immediate enforcement, without sifting through multiple vendor consoles. - **Confidence that guides action** Leverage vendor-assigned confidence scores to prioritize investigations—ensuring admins spend time only on high-fidelity threats. - **Workflow-ready for SOC teams** Supports daily operational use cases: review high-confidence malware entries, export top reports for SOC collaboration, and validate vendor detection side-by-side—all from one console. - **Time-stamped threat freshness** Every IOC entry shows its last update timestamp, giving admins assurance that enforcement is based on the latest vetted intel. - **Hyperlinked deep dives** Click any flagged domain or IP to open detailed reports instantly—accelerating incident investigation and root-cause analysis. - **Real-time enforcement, Always on** Every flagged domain or IP is automatically pushed into DNS server policies. The moment it appears in Feed Hub, your resolvers are already denying access—no manual intervention required. ## IoC spotlight: Threats under the microscope Confidence, history, and hits—your full threat dossier in one view. ### IOC Under the lens Put a single IOC under the microscope and watch its risk unfold. ![Region-wise AWS inventory](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/e1.png) - **Size up the threat in seconds** Use category, hit count, feed source, and last update to instantly gauge whether the IOC demands immediate action or routine monitoring. - **Track malicious shifts over time** Follow confidence score history to see when a once-benign domain turned hostile—critical for retrospective investigations and timeline reconstruction. - **Validate the Source of Truth** Know exactly which vendor feed flagged the IOC and when, helping admins build confidence in DDR enforcement policies. - **Prioritize using fresh intelligence** Rely on continuously updated scores and timestamps so response actions are based on current, vendor-vetted data—not stale lists. - **Correlate traffic spikes with risk levels** Match sudden query surges against rising confidence scores to detect active exploitation attempts in your environment. - **Export proof, Share with ease** Generate PDF or CSV reports to justify enforcement actions during audits, compliance checks, or SOC escalations. ### Scope of Compromise Trace how deep the breach runs—from the flagged domain to the last querying device. ![Cross-region resource view](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/e2.png) - **Trace the blast radius** See exactly which internal hosts are contacting the flagged IOC, mapping the spread of compromise across your environment. - **Prioritize host-level response** Rank affected endpoints by query volume, so admins know which systems to isolate, patch, or remediate first. - **Link subdomains to a campaign** Drill down into related subdomains under the same IOC to uncover broader malicious infrastructure tied to the attack. - **Accelerate forensic investigations** Turn IOC hits into actionable evidence—connecting external domains to internal devices for automated containment and forensic clarity. ### See which records attackers abuse Break down threats by DNS record type (A, TXT, MX, etc.) to expose attacker tactics. ![Cross-region resource view](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/e3.png) - **Pinpoint abused DNS records** Spot which record types (A, TXT, MX, etc.) attackers are exploiting, enabling admins to tighten policies exactly where abuse is happening. - **Prioritize remediation by record impact** Focus security and access controls on the record types with the highest hit volume, ensuring resources are directed to the biggest risks first. - **Correlate records with attack campaigns** Link record-level activity to broader threat patterns, helping admins recognize whether attacks are phishing-based, malware-driven, or C2-related. - **Refine DNS security policies** Use record-level insights to decide where stricter resolution rules, response rate limiting, or custom enforcement should be applied. ## DNS Detection and Response (DDR) Flag. Isolate. Defend — On autopilot. ### DNS-based quarantine DNS doors slam shut for compromised devices. ![Region-wise AWS inventory](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/images/ddr-dns.png) - **Block at first sight** DDI Central uses DNS ACLs on Linux and Client subnet-based isolation on Windows to immediately cut off compromised devices from making further DNS queries, stopping the spread of malware at the earliest stage. - **Containment without delay** Admins don’t have to manually isolate infected endpoints—DDI Central’s automated DDR engine enforces quarantine rules the moment threat-domain lookups are observed, slashing response times. - **Know What was blocked, When, How, and Why** The Quarantine dashboard offers detailed attribution, including service (DNS), quarantine type (ACL or Client Subnet), cluster, and timestamp—empowering informed decisions and audit-friendly records. - **Powerful filters for rapid triage and cleanup** Drill down by cluster, IP, or quarantine method to review and release entries as needed—all from a unified console. Streamline investigations and restore legitimate devices quickly. ### DHCP-based quarantine From MAC address to MAC arrest—Containment that sticks. ![Cross-region resource view](https://cdn.manageengine.com/sites/meweb/images/dns-dhcp-ipam/dhcp_based.png) - **MAC flagged. Network locked.** Leverages MAC filtering for Windows clusters to permanently block infected endpoints from receiving new IP leases—ensuring rogue devices can’t sneak back into the network through DHCP requests. - **One scope to isolate them all.** In Linux clusters, compromised MACs are funneled into a restricted DHCP reservation pool, locking them inside a subnet built for quarantine—ensuring zero lateral movement. - **No Lease. No Lurking. No Leakage.** Prevents misbehaving devices from reacquiring IPs, whether by dynamic lease or manual reconnect—cutting off their ability to communicate across the network. - **Catch, Contain, and cut off—Automatically.** DDR triggers this quarantine instantly upon threat detection, without admin intervention, enabling real-time containment of infected endpoints based on DHCP activity. ## DNS Threat Intelligence—In action ### Zero day DNS threat Protection Actively detects and blocks newly registered (NRD), short-lived, and fast-flux domains commonly leveraged in zero-day campaigns—ensuring protection against emerging and rapidly evolving threats. ### Preemptive blocking of risky domains Proactively identifies and blocks domains with suspicious behavior profiles before they're weaponized in cyberattacks. ### C2 disruption (Command-and-Control mitigation) Detects and obstructs malicious Traffic Distribution Systems (TDS) by identifying the whole infrastructure behind rotating domains often used by sophisticated threat actors for sustained, evasive campaigns. ### Secure DNS query inspection Continuously monitors the hits to all DNS record types for suspicious patterns, lateral movement, or malicious behavior. ### DNS tunneling detection and prevention Identifies DNS tunneling techniques used for unauthorized data exfiltration or remote command execution by detecting abnormal traffic patterns—such as unusually high query rates, repetitive query formats, or atypical DNS record types. ### Contextual threat intelligence and response Enriches every threat event with real-time device metadata (IP, MAC, hostname, VLAN) and network context, while leveraging DNS traffic patterns, reputation feeds (STIX/TAXII, RPZ), and IP/domain correlations. This deep context enables surgical quarantine through DNS Detection & Response (DNS DR), which automatically enforces policies that block further DNS queries and deny DHCP leases—ensuring suspicious endpoints are persistently contained and prevented from regaining network access. ### DNS security analytics and logging Captures, logs, and analyzes DNS query patterns across the organization to establish a forensic trail and support threat hunting, compliance, and post-incident analysis. ## Why DDI Central DNS threat intelligence ### Block evolving threats at source Stop zero-day and known-bad domains with live, curated threat feeds. ### Shrink attackers dwell time Quarantine compromised clients by denying DNS queries and IP leases in real time. ### Context that powers action Every event enriched with IP, MAC, hostname, VLAN, and device metadata for surgical response. ### Faster SOC and incident response High-context IOCs built for precise DNS firewalling and SOAR playbooks. ### Plug-and-Play feeds Leverage vendor-vetted feeds and TAXII/STIX integrations, updated in real time with confidence scores. ### Policy enforcement at network scale Automation turns threat intelligence into live DNS firewall rules and DHCP policies instantly.