An empirical reexamination of global DNS behavior

Hongyu Gao, Vinod Yegneswaran, Yan Chen, Phillip Porras, Shalini Ghosh, Jian Jiang, Haixin Duan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

20 Scopus citations

Abstract

The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e. , we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Original languageEnglish (US)
Title of host publicationProceedings of the SIGCOMM 2013 and Best Papers of the Co-Located Workshops
Pages267-278
Number of pages12
Edition4
DOIs
StatePublished - Dec 1 2013
EventAnnual Conference of the ACM Special Interest Group on Data Communication on the Applications, Technologies, Architectures, and Protocols for Computer Communication, ACM SIGCOMM 2013 - Hong Kong, China
Duration: Aug 12 2013Aug 16 2013

Publication series

NameComputer Communication Review
Number4
Volume43
ISSN (Print)0146-4833
ISSN (Electronic)1943-5819

Other

OtherAnnual Conference of the ACM Special Interest Group on Data Communication on the Applications, Technologies, Architectures, and Protocols for Computer Communication, ACM SIGCOMM 2013
CountryChina
CityHong Kong
Period8/12/138/16/13

Keywords

  • dns
  • malicious domain detection
  • measurement

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'An empirical reexamination of global DNS behavior'. Together they form a unique fingerprint.

  • Cite this

    Gao, H., Yegneswaran, V., Chen, Y., Porras, P., Ghosh, S., Jiang, J., & Duan, H. (2013). An empirical reexamination of global DNS behavior. In Proceedings of the SIGCOMM 2013 and Best Papers of the Co-Located Workshops (4 ed., pp. 267-278). (Computer Communication Review; Vol. 43, No. 4). https://doi.org/10.1145/2534169.2486018