DNS Belgium, the organisation responsible for managing the .BE domain name space, recently published an article explaining how it is using a new machine-learning system called RegCheck to identify and block suspicious .BE domain name registrations before they become active on the Internet.
DNS Belgium has stated that keeping the Internet secure is one of its most important objectives and, in practice, this means “striking a balance between the smooth registration of .be domain names and strict control of registrations that appear suspicious.” To support that effort, the RegCheck tool, which automatically screens new domain name registrations for signs of suspicious activity, was developed and has been in operation since March 2024. RegCheck analyses historical patterns in order to predict whether a newly registered domain name could be suspicious.
The RegCheck tool grew out of the idea that fraudulent domain name registrations tend to follow recognisable patterns and that machine learning could be used to detect them. It was first proposed in a thesis submitted to the Department of Computer Science at KU Leuven in 2019/20, then became a collaboration between DNS Belgium and its Dutch counterpart, SIDN, which was pursuing a similar approach to abuse mitigation. The two organisations decided to collaborate, exchanging code and ideas and jointly defining the features that would serve as input for the machine-learning model.
The two Registries encountered a number of challenges during the training and testing of the model – one being that malicious domain name registrations are not always obvious at the moment they are created. A domain name that appears legitimate initially may later be used for fraudulent activity, which means that the model must be designed to consider broader patterns beyond just the initial registration data.
Additionally, instead of letting the algorithm discover patterns on its own, the team specified what to watch for – such as numbers at the end of a domain name – and combined multiple factors into a reputation score. According to the developers, this process, known as ‘feature engineering', requires expertise in both domain names and complex database queries.
Since its launch, DNS Belgium reports that RegCheck has significantly outperformed the previous manual verification system. According to Maarten Bosteels, head of R&D at DNS Belgium, the machine-learning model evaluates the “combination of all characteristics instead of simply adding up the “violated” rules”, producing a more accurate assessment of suspicious registrations than previous manual assessments. The system is flexible and can be tuned to be more or less strict depending on the desired level of risk tolerance.
As Thomas Daniels, a researcher in the R&D team at DNS Belgium, explains, RegCheck acts like a wide net: it can block roughly 30% of domain name registrations while identifying around 80% of potentially fraudulent ones, allowing eventual manual checks to be carried out “in a much more targeted manner.”
When a registration is flagged, it must go through a separate identification process before it can be activated. This prevents potentially fraudulent .BE domain names from being used immediately for scams; a precaution which DNS Belgium points out “only takes place after the domain name is already active”. While the domain name remains in the registrant's possession, they cannot use it until the verification process is complete, adding an extra layer of protection for users.
Since its rollout, RegCheck has already had a measurable impact at DNS Belgium. In the seven months following its launch, the number of malicious domain name registrations reportedly fell by 30% compared with the same period the previous year.
According to Thomas Daniels, while there are no plans to commercialise the tool or release it as open source, DNS Belgium is open to sharing the code and offering expertise to other Registries interested in adopting similar approaches.
[View source.]
