D3-HDL

Isolate
Homoglyph Denylisting

Definition

Blocking DNS queries that are deceptively similar to legitimate domain names.

How it works

Homoglyph domain blacklisting considers the domain and subdomain structure of a lookup and compares the named components to blacklisted named components. The blacklisted named components are typically crafted modifications of known good domains, e.g., gooogle.com versus google.com. The blacklisted domains typically resemble trusted domains, but have been altered slightly to deceive users.

The blacklisted named components also include consideration for fonts or Unicode characters that can make certain characters appear very similar (zero vs capital O and the letter l vs the number one). The blacklisted domains under certain fonts will appear to be a trusted domain.

Considerations

Maintaining the currency of the list can be a challenge especially with newly registered domain entries.

Blacklists should have identified maintenance cycles to ensure lists are not stale.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

blocks
Homoglyph Denylisting
DNS Network Traffic

References

Reference - Detection of Malicious IDNHomoglyph Domains