Using the 'Tranco' List (DNS - Part 2)

Hi !

  1. What is Tranco? (https://tranco-list.eu/)

Tranco is a high-quality, research-oriented list of the top one million websites. It was created by academic researchers to solve the reliability issues found in older, commercial rankings like Alexa or Cisco Umbrella.

Here is a concise summary of what makes Tranco unique and why it is a powerful asset for cybersecurity operations.

In the past, security tools relied on “Top 1M” lists to identify popular websites. However, these lists were often unstable (sites jumping thousands of ranks daily) and easy to manipulate (attackers could fake traffic to make a malicious site look “popular”).

Tranco solves this by using:

  • Aggregation: It combines data from multiple providers (Majestic, Cisco Umbrella, Farsight, etc.) to eliminate single-source bias.

  • Temporal Stability: It uses a 30-day sliding window, meaning a site must be consistently popular to stay high on the list.

  • Transparency: The methodology is open-source and peer-reviewed, ensuring researchers can reproduce the exact same list for any given date.

  1. Why Use Tranco for Cybersecurity?

Using Tranco is a strategic move for defenders looking to reduce noise and increase the accuracy of their security stack.

  • Advanced Whitelisting (False Positive Reduction) Security Operation Centers (SOCs) generate thousands of alerts. By cross-referencing outbound traffic with the Tranco list, analysts can automatically deprioritize alerts involving world-famous domains (like Google or Microsoft). This allows the team to focus on the “long tail” of unknown domains where threats usually hide.

  • Identifying C2 (Command & Control) Traffic Most malware communicates with a remote server (C2). Because Tranco requires sustained popularity across multiple networks to rank a domain, it is extremely difficult for a “fresh” malicious domain to appear on the list. If an internal machine is talking to a domain not in the Tranco Top 1M, it is statistically much more suspicious.

  • Resistance to Ranking Manipulation “List poisoning” is a technique where hackers artificially inflate a domain’s rank to bypass security filters. Tranco’s multi-source aggregation makes this nearly impossible; an attacker would have to manipulate several global networks simultaneously to influence the ranking.

  • Consistent Security Research If you are performing a security audit (e.g., “How many top websites still use TLS 1.0?”), using Tranco ensures your dataset is stable. Other researchers can pull the exact same list ID from a specific date to verify your findings, which is essential for compliance and scientific validation.

In the next articles, we will see, among other things, how to view the status of your DNS queries in relation to the Tranco list.

Cheers.

Security DNS