Blocking suspicious domains before they go live

RegCheck is designed to predict whether a new domain name registration is suspicious based on historical registration data. The machine learning tool was developed by DNS Belgium, together with its Dutch counterpart SIDN. 

A peer-reviewed paper has now been published, which was also recently presented at the KDD 2025 conference (Knowledge Discovery and Data Mining) in Toronto. This is a great opportunity to take a closer look at what RegCheck does and how the tool came about. We discuss this with Maarten Bosteels, head of R&D at DNS Belgium, and Thomas Daniels, researcher in the R&D team at DNS Belgium.

How did RegCheck come about?

Maarten Bosteels: It started with the assumption that there are patterns in fraudulent registrations and that machine learning could recognise them.

We submitted this topic as a thesis proposal to the Department of Computer Science at KU Leuven in the 2019-2020 academic year. The initial results were not usable, but they were promising. Then, starting in 2021, a proof-of-concept (PoC) was developed by a researcher at KU Leuven, Pieter Robberechts. He was also familiar with our specific activities because he had previously written his thesis at DNS Belgium.

During a CENTR R&D workshop in 2022, we noticed that SIDN had a similar project and decided to join forces. Code and concepts were exchanged and we started looking together at what features we could come up with. These features are the input fields on which the machine learning model bases its risk calculation for a registration.

Around that time, Thomas Daniels also became involved in the project as a researcher. He had also written his thesis at DNS Belgium, and that is when the idea for a PhD arose. Through a Baekeland mandate at VLAIO, he is working on various projects here to make the internet in Belgium safer. RegCheck is the first project for his PhD.

In what areas does RegCheck perform better than the old way of working?

Thomas Daniels: RegCheck has been in production since March 2024. Before that, there was a system of rules that had to be maintained manually. In our paper, we therefore demonstrate that the machine learning model performs better.

Bosteels: Most rules now appear as features. But we now have more features (specific data that is included in the reputation score) than there used to be rules.

In the past, you gave each rule a weighting of 1 to 3. Today, RegCheck uses machine learning to look at the combination of all characteristics instead of simply adding up the “violated” rules. 

Can you adjust how strict such a system is?

Daniels: The model can be more or less strict depending on what you want. It indicates the likelihood of fraud, but you can tune how big that risk can be yourself.

Does that mean that with this tool you need fewer people, or can you dismiss people because machine learning does the work?

Bosteels: With RegCheck, we can perform much more targeted verification, which has two advantages: registering a domain name is easier. At the same time, our support department can work in a much more targeted way because RegCheck tells them which registrations may be suspicious.

RegCheck was not designed to reduce the number of people needed to do the work, but rather to increase the likelihood of blocking suspicious registrations preventively. This allows the people involved in the process to check suspicious registrations in a much more targeted manner. Without this filter, they would spend much more time checking registrations that are not suspicious, leaving less time to follow up on suspicious registrations.

Daniels: This means that RegCheck makes the Belgian internet safer because we check suspicious registrations in a more targeted manner and deploy our people efficiently.

You should see RegCheck as a wide net that we cast out. You can block roughly thirty per cent of registrations and thus find eighty per cent of fraudulent registrations.

How do you make the best use of RegCheck? Being too strict will block more registrations, while being too lax will allow more fraudulent registrations to slip through.

Bosteels: Despite the use of RegCheck, not everything is blocked. You could be stricter and then you would find even more abuse, but you would also get many more false positives (registrations that are marked as suspicious and later turn out to be innocent). That requires more human checks, which are not particularly useful. You can therefore certainly debate how “strict” such a system should be.

How do you ensure that machine learning recognises suspicious things without overreacting?

Daniels: There are two ways to classify data: you can explicitly define features (feature engineering), or you can choose not to (representation learning). Here, we chose to specify ourselves what the algorithm should look out for. But then you also have to make sure that you only indicate things that are useful to the model. For example, you can specify “a number at the end of a domain name” and RegCheck will pay explicit attention to that. There are several factors that together determine a reputation score.

When defining these features, you need to stay focused. You perform fairly complex database queries, and you also need some knowledge of domain names to do this properly. But there are also a few pitfalls in training and testing.

Bosteels: For example, you train your model on historical data. If you then want to test how well it works, you have to do so on other historical data. So when testing, you want to make sure that you don't use the data on which you trained the model.

An additional obstacle is that malicious registrations are not black and white. It is perfectly possible for someone to register a domain that is fine at the time, but a few weeks later it is running a fraudulent webshop. If you want to recognise such things, you have to look much broader than just the data or behaviour at the time of registration itself when using training data.

RegCheck has been running at DNS Belgium for some time now. Can you quantify how well it works?

Daniels: Certainly, we have described this in detail in our paper. In the seven months since its rollout, the number of abuse cases (malicious registrations) has fallen by 30% compared to the same period last year. The model we developed succeeds in giving registrations that are effectively suspicious a higher (read: worse) score.

Bosteels: If RegCheck finds it suspicious, you have to go through a separate identification process. This prevents a large number of .be domain names from popping up and being used shortly afterwards to scam people. In many other zones, this check only takes place after the domain name is already active.

A domain name that is held back for verification remains in the hands of the registrant , but he or she cannot do anything with it until the identification process is complete.

Doesn't that make training with recent data, after RegCheck was already active, more difficult?

Bosteels: Initially, this was a stumbling block for the evaluation of RegCheck. After all, RegCheck already filters out some domain names that would otherwise simply go online. When evaluating your model, you have withdrawn domains that you will never know whether they would have turned out to be malicious if they had gone online.

Daniels: Our sources for training the system include withdrawn domain names from the past, malicious registrations that we detected ourselves, and domain names that have been ready for verification for more than 120 days. Here too, we investigated the best way to combine these sources.

This was developed within DNS Belgium in collaboration with SIDN. Is RegCheck also used elsewhere?

Daniels: With RegCheck, we want to make the internet as a whole safer, so we are certainly open to that. There are no plans to offer it commercially or as open source, but if other registries are interested, we are happy to share the project code and our expertise is available.