If you’re not watching the dynamic dns domain traffic on your network, you’re missing things.
Even if you or your web filtering/proxy solutions is blocking them, you still need to watch for them.
Compromised hosts will often use them as C2.
Depending on the size of your network, you may need to do some heavy tuning…but trust me, it’s worth it.
Just throw the domains in a csv and run it against your proxy logs and dns logs every 24. Be a hero.