Technical overview for security teams, CISOs, and ISP engineers.
Protective DNS (PDNS) intercepts domain resolution requests and blocks connections to known-malicious infrastructure before a TCP handshake ever occurs. Because every network connection begins with a DNS lookup, the DNS layer is the single most efficient point to disrupt malware delivery, command-and-control communication, phishing, and data exfiltration.
This is not a theoretical model. It is active government policy:
Escudo implements PDNS as a managed service. A single DNS configuration change โ no software, no agents, no appliances โ activates threat blocking, content filtering, device identification, and forensic logging across every device on a network.
Escudo aggregates threat data from 18 independent feed sources, organized by threat category:
| Category | Feed count | Coverage |
|---|---|---|
| Malware distribution | 4 | Domains hosting payloads, exploit kits, drive-by downloads |
| Phishing | 3 | Credential harvesting, brand impersonation, social engineering |
| Command and control | 3 | Botnet C2, RAT callbacks, data exfiltration endpoints |
| Ad networks and trackers | 4 | Cross-site tracking, fingerprinting, malvertising vectors |
| Telemetry and analytics | 2 | OS-level telemetry, app analytics, crash reporting |
| Newly registered domains | 2 | Domains under 30 days old (high-risk category) |
Feeds are refreshed on a 5-minute cycle. Each refresh follows a deterministic pipeline:
The current unified blocklist contains approximately 1.53 million unique domains.
Domain Generation Algorithms (DGAs) are used by malware families to produce pseudo-random domain names for command-and-control communication. Because these domains are generated dynamically, they cannot appear in static blocklists. Escudo applies real-time heuristic analysis to every queried domain.
Each domain label is evaluated across four independent dimensions:
amazon.com) have low entropy. DGA domains (e.g., xjk8mzp3qr.net) have high entropy. The engine computes entropy per label and normalizes against label length.Design decision: Escudo uses pure heuristic analysis rather than machine learning for DGA detection. Heuristic engines are deterministic (same input always produces same output), explainable (every block can be attributed to specific scoring factors), and fast (no model inference latency). For DNS-layer security where decisions must be made in microseconds, these properties outweigh the marginal accuracy gains of ML approaches.
PIX is Brazil's instant payment system, processing over 3 billion transactions per month. Attackers create convincing replicas of banking portals to intercept PIX transfers. Escudo applies specialized heuristics to identify these domains before users reach them.
The detection model covers major Brazilian financial institutions including Banco do Brasil, Bradesco, Itau, Caixa Economica, Nubank, Inter, C6, Santander Brasil, BTG Pactual, and Mercado Pago, among others. The protected institution list is updated continuously.
Escudo identifies device types on the network through passive DNS pattern analysis โ no active scanning, no agents, no SNMP.
Different operating systems and device types generate characteristic DNS queries as part of their normal operation:
Escudo maintains a rule engine of 127 pattern definitions that map DNS query signatures to device categories. Each pattern carries a confidence weight. When multiple patterns match for a single source IP, confidence scores are aggregated to produce a device classification.
Privacy note: Device fingerprinting is based entirely on DNS query patterns โ the same data Escudo already processes for threat detection. No additional data collection occurs. Fingerprinting can be disabled per-account or per-network.
For organizations with compliance, audit, or incident response requirements, Escudo provides tamper-evident logging that can demonstrate the integrity of DNS records after the fact.
Any modification to a historical record โ insertion, deletion, or alteration โ breaks the hash chain from that point forward. Verification can be performed independently: given the raw event data and the published checkpoint hashes, any party can recompute the chain and confirm integrity.
Forensic logs can be exported in JSON (for programmatic analysis) or CSV (for spreadsheet and SIEM import). Exports include the hash chain data, allowing independent verification of the exported records against the checkpoint hashes.
Escudo operates a two-node architecture optimized for the primary deployment regions:
| Role | Location | Provider | Function |
|---|---|---|---|
| DNS Resolver | Sao Paulo, Brazil | Vultr | Primary resolver for Latin American networks |
| DNS Resolver | Falkenstein, Germany | Hetzner | Primary resolver for European networks |
| Management | Nuremberg, Germany | Hetzner | API, dashboard, threat intelligence processing |
Brazilian ISPs using the Sao Paulo resolver see sub-5ms response times for cached queries. European networks served from Falkenstein achieve comparable latency. The architecture is anycast-ready โ additional resolver nodes can be deployed in any region without changes to client configuration.
Each resolver operates independently with a full copy of the blocklist and threat intelligence data. If one node becomes unavailable, clients configured with both resolver addresses automatically fail over to the surviving node. The management layer synchronizes state to all resolvers but is not in the query path โ resolvers continue to function during management downtime.
Escudo is designed for ISP deployment where a single resolver instance serves thousands of subscribers, each with potentially different security policies.
ISPs can customize block pages (branding, messaging, support links), dashboard appearance, and notification templates. The subscriber-facing experience can be fully branded as the ISP's own security product.
All management API endpoints require authentication via API key passed in the request header. Keys are scoped per tenant with configurable permission levels (read-only, subscriber management, full administration). Rate limiting is applied per key.
DNS query processing is based on the legal basis of legitimate interest (Art. 10) for threat detection and contractual necessity (Art. 7, V) for paid service features. Data subject rights (access, deletion, portability) are supported via API and email request. The Data Protection Officer can be reached at privacy@escudo.network.
European data is processed and stored exclusively in Hetzner's German data centers. Processing basis aligns with LGPD: legitimate interest for security functions, contract performance for paid features. Standard Contractual Clauses are available for ISP deployments requiring cross-border data processing agreements.
Escudo's architecture supports NIS2 compliance for entities classified as essential or important: incident reporting via forensic export, supply chain documentation via sub-processor transparency, and security-by-design through Rust's memory safety guarantees.
All DNS query metadata is permanently deleted after 30 days. No anonymized or aggregated derivatives are retained beyond this period. Account data is retained for 90 days after account closure.
Escudo is written in Rust. This is a deliberate technical choice with specific implications for a security product:
The unified blocklist is stored in a HashSet with O(1) average lookup complexity. A DNS query against 1.53 million blocked domains completes in microseconds. The entire blocklist resides in memory โ there is no disk I/O in the query path.
Network operations use Tokio, Rust's async runtime. Each DNS query is handled as a lightweight task (not a thread). A single resolver node can sustain tens of thousands of concurrent queries without thread pool exhaustion.
The complete Escudo deployment โ two DNS resolvers, management server, database, threat intelligence processing โ operates on approximately EUR 28 per month of infrastructure. This cost efficiency is a direct consequence of Rust's performance characteristics and the architectural decision to keep the system simple.
For technical questions, deployment planning, or security evaluation, contact contato@escudo.network.