The Security Center updates automatically as your network generates DNS traffic, providing real‑time visibility into patterns, threats, and potential issues before they affect your users or business.

Malware Domains

This alert appears when a device on your network attempts to connect to a domain known to distribute harmful software, such as viruses, ransomware, spyware, or trojans. These domains are identified through threat intelligence feeds and global malware reporting sources.

Malware domains typically host executable downloads, malicious scripts, or payload delivery systems. Even a single attempt to reach one of these domains can indicate early signs of compromise, such as a malicious email link being clicked or background software attempting to install without user consent.

If you see repeated attempts from the same device, it may signal an active infection that needs immediate investigation.

Phishing And Fake Login Pages

Phishing alerts are triggered when a device requests a domain that impersonates a trusted brand or service. These websites often mimic login pages from companies like banks, email providers, cloud services, or social platforms.

Phishing sites attempt to trick users into entering their credentials or personal information. The DNS Security Center detects these domains using industry‑standard phishing feeds and known attacker patterns, such as lookalike spellings or suspicious hosting sources.

These alerts help you identify potential credential theft attempts, whether caused by a deceptive email or a mistyped URL.

Botnet And Command‑And‑Control Activity

A botnet or command‑and‑control (C2) alert occurs when a device attempts to communicate with infrastructure used by attackers to control infected systems. These servers issue instructions to compromised devices, such as extracting data, downloading additional components, or participating in coordinated attacks.

These alerts are particularly important because they often indicate an active infection rather than a simple browsing attempt. Devices generating this type of traffic should be reviewed quickly for malware or unauthorized programs.

The traffic may also be automated, occurring at regular intervals even when the user is not actively using the device.

Newly Registered Domains

Cybercriminals frequently use newly created domains because they appear clean to most security tools. These domains are often used for phishing attacks, fraudulent pages, or malware distribution.

When your network contacts a domain that was registered recently, the Security Center flags it as a higher‑risk destination. This does not necessarily mean the domain is malicious, but it does indicate the need for caution, as malicious actors often use newly registered domains to evade detection and reputation checks.

Combining this alert with other indicators, such as phishing or malware, can reveal stronger signs of malicious activity.

Random‑Looking (DGA) Domains

Some malware families use domain generation algorithms (DGAs) to create large numbers of random or meaningless domain names. This helps attackers evade security tools by constantly rotating the domains their malware contacts.

DGA domains often appear as long, random strings of letters and numbers. A device sending requests to many such domains may be infected with malware that is attempting to locate or reestablish contact with a control server.

These alerts help you detect infections early, even if the specific domain used for malicious activity has not yet been identified by global threat lists.

Fast‑Flux Domains

Fast‑flux networks use rapidly rotating IP addresses to host malicious websites. Attackers rely on this method to evade takedown attempts and hide the true location of their infrastructure.

When a device attempts to access a fast‑flux domain, it suggests that the traffic is likely routed through a botnet or other hostile environment. These domains often host phishing pages, malware installers, or malicious redirect services.

The DNS Security Center identifies these patterns based on how frequently the domain changes its associated IP addresses over short periods of time.

Traffic Pattern Alerts

Traffic pattern alerts highlight changes in how your network devices typically behave. These alerts compare current DNS activity with historical trends over the past 15 days in your environment.

Examples of unusual traffic patterns include:

• New categories of websites not normally accessed
• Sudden interest in risky or unknown domains
• Unusual times of access
• Activity inconsistent with a device’s usual behavior

These alerts do not always indicate malicious activity. Sometimes they point to newly installed software, changes in user behavior, or normal business shifts. However, when combined with other alerts, they can be an important early signal of compromise or misconfiguration.

Volume Alerts

Volume alerts appear when the number of DNS requests from a device or location increases dramatically compared to normal behavior.

High DNS volume can be caused by:

• Malware scanning or reconnaissance
• Background processes stuck in a loop
• Browser extensions generating excessive requests
• Software updates behaving unexpectedly

While some volume spikes are harmless, repeated or sustained abnormal traffic should be investigated to ensure the device is functioning correctly and is not compromised.

Location Alerts

Location alerts occur when DNS requests begin to concentrate in geographic regions your organization does not usually interact with.

Unexpected regional patterns may occur when:

• Malware contacts servers in specific countries
• Users are redirected to unfamiliar regions
• Suspicious websites are being accessed
• Compromised devices attempt to exfiltrate data

Location anomalies do not always indicate malicious intent, but they help highlight unusual behavior that merits further review.

What To Do When You See An Alert

When the Security Center generates an alert, consider the following steps:

• Review which device or user triggered the alert
• Verify whether the destination was intentional
• Check the device for unusual programs, browser extensions, or recent downloads
• Follow your internal security procedures if malware is suspected
• Contact support for assistance if you need further guidance

Consistently reviewing alerts helps maintain a secure network and protects against emerging threats.