DDI Central DNS Threat Intelligence: Overview
Powered by ManageEngine CloudDNS
DDI Central leverages ManageEngine CloudDNS's threat feeds to dynamically update and enforce DNS-level threat defenses across any network environment. This integration provides real-time protection and adaptive response to emerging threats by feeding curated threat intelligence directly into DDI Central’s DNS infrastructure.
Pre-requisites
Dynamic Threat Intelligence in DDI Central is available exclusively through the ManageEngine CloudDNS service.
To access this capability, admins must have a Zoho account.
- Admins with an existing Zoho US Data Center account can simply sign in to be instantly redirected to the dedicated integration URL: "https://dnsthreatfeed.manageengine.com/#/threat_creds".displaying the credentials required for accessing threat intelligence module.
- While the users' existing Zoho accounts may be associated with other data centers (DCs), users are required to register specifically for the CloudDNS service under the US data center, using only their First Name, Last Name, and Email ID.
- These details are securely encrypted and stored in the US data center.
- This data handling process is designed to be compliant with GDPR and ensures that personal information is collected, processed, and stored responsibly and transparently.
How DDI Central's Dynamic Threat Intelligence module works
Architecture Overview
How Threat Feeds Flow
- Threat Feed Aggregators
The process starts with Threat Intel vendors who aggregate, process, vet, and correlate different category domains, IPv4, IPv6, malware sites, and other threat vectors from both internal and external intelligence sources.
- Feed Synchronization (CloudDNS Application)
Here CloudDNS serves as the default threat data distribution hub. Like other vendors, it provides curated, real-time vetted threat feeds.
- Secure Delivery to Customer Premises and Policy Enforcement
- The DDI Central Management UI Console, deployed on-premises through an authorized HTTPS URL, pulls real-time threat feeds from the CloudDNS application and from other vendors if multiple feed servers are added into the DDI Central console.
- In the DDI Central Console, threat data is formatted in a standard DNS format and enforced as strict DNS policies, automatically propagated across all onboarded DNS servers within the admin’s on-premises network.
How Threat feeds flow
- Threat feed aggregators
- The process starts with Threat Intel vendors who aggregate, process, vet, and correlate different category domains, IPv4, IPv6, malware sites, and other threat vectors from both internal and external intelligence sources.
- Feed Synchronization (CloudDNS Application)
- Here CloudDNS serves as the default threat data distribution hub. Like other vendors, it provides curated, real-time vetted threat feeds.
- Secure delivery to Customer Premises and policy enforcement
- The DDI Central Management UI Console, deployed on-premises through an authorized https URL, pulls real-time threat feeds from the CloudDNS application and from other vendors if multiple feed servers are added into the DDI Central console.
- In the DDI Central Console, threat data is formatted in a standard DNS format and enforced as strict DNS policies and automatically propagated across all onboarded DNS servers within the admin’s on-premises network.
Threat intelligence scoring and classification in DDI Central
With the real-time threat feed sourced from ManageEngine CloudDNS and other vendors—DDI Central automatically classifies and enforces policies over these domains based on a Confidence Score.
Each threat entry is scored based on the vendors' advanced analytics and telemetry correlation. The Confidence Score reflects the level of certainty that a given domain is malicious.
Threat Confidence Score Classification
| Confidence Score | Threat Severity | Action in DDI Central App Console |
|---|---|---|
| 90 and above | Critical | Automatically added to active blocklist |
| 75 — 89 | High | Automatically added to active blocklist |
| 50 — 74 | Medium | Automatically added to active blocklist |
| Below 50 | Safe Domain | Not added to blocklist |
Policy enforcement
Domains with a confidence score of 50 or above are automatically pushed to DDI Central’s DNS Firewall blocklist, enabling proactive defense against malicious traffic.
This scoring mechanism ensures your infrastructure is protected against high-risk domains—without manual intervention—while maintaining visibility via the Threat Feeds dashboard.
Supported Threat Intel Vendors
When the Threat Intelligence module is enabled in DDI Central, it integrates default feeds from ManageEngine CloudDNS and supports ingestion of curated threat data from leading vendors or custom sources.
Administrators can configure external threat feeds from the following vendors or any standards-compliant STIX/TAXII server:
- AlienVault OTX
- Cyware Threat Intelligence
- IBM X-Force
- Kaspersky Threat Intelligence
- PulseDive Threat Intelligence
- Sectrio Threat Intelligence
STIX (Structured Threat Information Expression) is a standardized format for representing cyber threat intelligence, including indicators, TTPs, threat actors, and campaigns.
TAXII (Trusted Automated eXchange of Indicator Information) is a protocol that allows secure, automated exchange of STIX-formatted data between servers and consumers, enabling real-time threat sharing.
By supporting any custom STIX/TAXII server, DDI Central enables organizations to consume any real-time, machine-readable threat intelligence directly into their DNS stack for proactive domain resolution control and rapid enforcement.
What threats does DDI Central defend against?
DDI Central’s DNS Threat Intelligence module is purpose-built to detect and block a wide range of DNS-based threats in real time—before they impact your network.
| Capability | What DDI Central Delivers |
|---|---|
| Preemptive blocking of risky domains | Proactively identifies and blocks domains with suspicious behavior profiles before they're weaponized in cyberattacks. |
| Real-Time Detection of Emerging DNS Threats | Actively detects newly registered Zero-day domains or fast-spreading domains that haven’t yet been cataloged in traditional threat databases, ensuring protection against evolving and emerging threats. |
| Centralized DNS Logging with Secure Query Inspection | Captures, logs, and analyzes DNS query patterns across the organization to establish a forensic trail and support threat hunting, compliance, and post-incident analysis. |
| Comprehensive DNS Activity Analysis | Continuously monitors all DNS record types for anomalies, lateral movement, or malicious behavior. |
| Detection of Covert DNS Channels | Identifies DNS tunneling techniques used for unauthorized data exfiltration or remote command execution by detecting abnormal traffic patterns—such as unusually high query rates, repetitive query formats, or atypical DNS record types. |
| Contextual Threat Intelligence Without Agents | Enriches each threat event with real-time device metadata—such as IP, MAC, user, and VLAN(additional network context)—without relying on agents or sinkholing. |
| Disruption of threat actor infrastructure | Detects and neutralizes Threat Distribution Systems (TDS) by identifying the rotating domain infrastructure often used by sophisticated threat actors for sustained, evasive campaigns. |
These capabilities ensure DNS-level enforcement without relying on endpoint agents or network sinkholes, offering proactive protection across your network.
Security and operational benefits
- Real-Time defense: Threat feeds are updated dynamically, minimizing dwell time for malicious domains.
- Centralized control: Admins have visibility and management capability over active blocklists from a single console.
- Zero manual effort: No need to manually curate threat lists; the system handles syncing and enforcement.
- Scalable Security: Supports large-scale deployments with multiple DNS servers, each enforced with real-time threat intelligence based security policies.
Future-Ready security posture
This integration ensures your DNS-layer security is not just reactive but predictive and proactive, driven by high-confidence intelligence curated within the DDI Central application.
By design, this enables security teams to analyze the effectiveness of threat feed enforcement and correlate blocked DNS attempts with broader incident response pipelines. Thereby, DDI Central's Dynamic Threat Intelligence ensures DNS security evolves at the pace of emerging cyber threats.