Created domain typosquatting checker

[zbalkan]

Summary

This is a simple app which may be helpful or phishing domains:

Example output

For microsoft.com:

C:\Users\zafer>dig microsoft.com @127.0.0.1

; <<>> DiG 9.16.25 <<>> microsoft.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42278
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;microsoft.com.                 IN      A

;; ANSWER SECTION:
microsoft.com.          3600    IN      A       13.107.213.45
microsoft.com.          3600    IN      A       13.107.246.45

;; Query time: 157 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 30 21:56:18 FLE Standard Time 2025
;; MSG SIZE  rcvd: 74

For rnicrosoft.com:

C:\Users\zafer>dig rnicrosoft.com @127.0.0.1

; <<>> DiG 9.16.25 <<>> rnicrosoft.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53901
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 15 (Blocked): (source=typosquatting-detector;domain=rnicrosoft.com;severity=HIGH;reason=Typosquatting)
;; QUESTION SECTION:
;rnicrosoft.com.                        IN      A

;; AUTHORITY SECTION:
rnicrosoft.com.         60      IN      SOA     lap29. hostadmin.lap29. 1 14400 3600 604800 60

;; Query time: 295 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 30 21:56:25 FLE Standard Time 2025
;; MSG SIZE  rcvd: 186

Reference

• https://economictimes.indiatimes.com/wealth/save/password-change-email-from-rnicrosoft-com-is-a-phishing-scam-cybersecurity-expert-shares-how-to-protect-yourself/articleshow/125501383.cms?from=mdr

[ShreyasZare]

Thanks for the PR. Its a nice concept but my concern is with false positives. Have you done any analysis for that?

[zbalkan]

The 75 is a good enough number. Depending on the case, users can make it stricter but several tests has shown this is good enough. Any threshold lower than 75 would be too much noise.

I first considered having a detect-only mod but if we don't do blocking, we cannot enrich logging. So, my initial plan failed. Because we return Task.FromResult<DnsDatagram?>(null), there's no room for labeling successful DNS results with EDE for further analysis. So, "This looks suspicious but not enough for blocking" message is not possible. So this is the end result.

I will add one more change today. It rebuilds the fuzzy search and bloom filter capabilities very often while the file has not changed. I'll keep a hash of the file and return early if the file has not changed for some time.

[ShreyasZare]

I first considered having a detect-only mod but if we don't do blocking, we cannot enrich logging. So, my initial plan failed. Because we return Task.FromResult<DnsDatagram?>(null), there's no room for labeling successful DNS results with EDE for further analysis. So, "This looks suspicious but not enough for blocking" message is not possible. So this is the end result.

Its possible to do that by querying the DNS server from the app itself and then add EDE for it. But since nobody is practically going to read that EDE message, its not really useful. So blocking it the only practical way to make it effective.

Will check the app once I have some time available. My only major concern is false positives which has potential to generate too many support requests. The other minor concern is sourcing the csv data which adds maintenance task if its self hosted and not sourced directly from some reliable 3rd party.

[zbalkan]

I agree with the CSV issue. It's a replacement of Alexa Top 1M list. If this becomes obsolete, I'd replace it with a new one. Second list, the custom one is expected to be a single column with no header. For me, it would contain only "zaferbalkan.com", for instance. So, it is a combination of a dynamic and a static list.

[zbalkan]

Another thing is that I first used the enums like HIGH, MEDIUM, etc., but then moved to a numeric threshold for fine tuning. Those Enums are now only for adding metadata so that user can have some actionable insight.

I'd write the description more detailed. Users must be careful.

[Copilot]

Pull request overview

This PR introduces a new DNS application called "TyposquattingDetector" that helps protect against phishing by detecting potential typosquatting domain queries. The detector uses fuzzy string matching against a list of the top 1 million legitimate domains (from Majestic) to identify domains that are suspiciously similar but not exact matches, blocking them with extended DNS error responses.

• Implements a bloom filter and fuzzy matching algorithm to detect typosquatting attempts
• Downloads and maintains the Majestic Million domain list with periodic updates
• Provides configurable thresholds and blocking behavior with extended DNS error codes

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 26 comments.

Show a summary per file

File	Description
README.md	Adds SonarCloud quality gate badge
DnsServer.sln	Adds TyposquattingDetector project to solution and updates VS version
Apps/TyposquattingDetector/dnsApp.config	Configuration file defining default settings for fuzzy matching, update intervals, and blocking behavior
Apps/TyposquattingDetector/TyposquattingDetector.csproj	Project file with dependencies for bloom filter, fuzzy matching, and public suffix parsing
Apps/TyposquattingDetector/TyposquattingDetector.cs	Core detection logic implementing bloom filter prefiltering and parallel fuzzy matching
Apps/TyposquattingDetector/Config.cs	Configuration class with validation for settings including domain file paths and update intervals
Apps/TyposquattingDetector/App.cs	Main application entry point implementing DNS request blocking handler with periodic domain list updates

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 16 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[zbalkan]

Fixing concurrency issues took time but finally made it work.