TY - GEN
T1 - An empirical reexamination of global DNS behavior
AU - Gao, Hongyu
AU - Yegneswaran, Vinod
AU - Chen, Yan
AU - Porras, Phillip
AU - Ghosh, Shalini
AU - Jiang, Jian
AU - Duan, Haixin
PY - 2013
Y1 - 2013
N2 - The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e. , we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.
AB - The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e. , we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.
KW - dns
KW - malicious domain detection
KW - measurement
UR - http://www.scopus.com/inward/record.url?scp=84891592935&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84891592935&partnerID=8YFLogxK
U2 - 10.1145/2534169.2486018
DO - 10.1145/2534169.2486018
M3 - Conference contribution
AN - SCOPUS:84891592935
SN - 9781450320566
T3 - Computer Communication Review
SP - 267
EP - 278
BT - Proceedings of the SIGCOMM 2013 and Best Papers of the Co-Located Workshops
T2 - Annual Conference of the ACM Special Interest Group on Data Communication on the Applications, Technologies, Architectures, and Protocols for Computer Communication, ACM SIGCOMM 2013
Y2 - 12 August 2013 through 16 August 2013
ER -