Reexamining DNS from a Global Recursive Resolver Perspective

Hongyu Gao, Vinod Yegneswaran, Jian Jiang, Yan Chen, Phillip Porras, Shalini Ghosh, Haixin Duan

Research output: Contribution to journalArticlepeer-review

39 Scopus citations

Abstract

The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Original languageEnglish (US)
Article number6932501
Pages (from-to)43-57
Number of pages15
JournalIEEE/ACM Transactions on Networking
Volume24
Issue number1
DOIs
StatePublished - Feb 2016

Funding

This material is based upon work supported in part by the National Science Foundation under Grants No. CNS-0831300 and CNS-1314956, the Army Research Office under Cyber-TA Grant No. W911NF-06-1-0316, the National Basic Research Program (973 Program) of China under Grant No. 2009CB320505, the National Natural Science Foundation of China under Grant No. 61472215, and the Open Foundation of the State Key Laboratory of Networking and Switching Technology (Beijing University of Posts and Telecommunications) SKLNST-2013-1-17.

Keywords

  • Domain Name System (DNS)
  • malicious domain detection
  • measurement

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Reexamining DNS from a Global Recursive Resolver Perspective'. Together they form a unique fingerprint.

Cite this