Abstract
The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.
Original language | English (US) |
---|---|
Article number | 6932501 |
Pages (from-to) | 43-57 |
Number of pages | 15 |
Journal | IEEE/ACM Transactions on Networking |
Volume | 24 |
Issue number | 1 |
DOIs | |
State | Published - Feb 2016 |
Funding
This material is based upon work supported in part by the National Science Foundation under Grants No. CNS-0831300 and CNS-1314956, the Army Research Office under Cyber-TA Grant No. W911NF-06-1-0316, the National Basic Research Program (973 Program) of China under Grant No. 2009CB320505, the National Natural Science Foundation of China under Grant No. 61472215, and the Open Foundation of the State Key Laboratory of Networking and Switching Technology (Beijing University of Posts and Telecommunications) SKLNST-2013-1-17.
Keywords
- Domain Name System (DNS)
- malicious domain detection
- measurement
ASJC Scopus subject areas
- Software
- Computer Science Applications
- Computer Networks and Communications
- Electrical and Electronic Engineering