research-article

An empirical reexamination of global DNS behavior

Authors:
Hongyu Gao

Northwestern University, Evanston, IL, USA

Northwestern University, Evanston, IL, USA
View Profile

,
Vinod Yegneswaran

SRI International, Menlo Park, CA, USA

SRI International, Menlo Park, CA, USA
View Profile

,
Yan Chen

Northwestern University, Evanston, IL, USA

Northwestern University, Evanston, IL, USA
View Profile

,
Phillip Porras

SRI International, Menlo Park, CA, USA

SRI International, Menlo Park, CA, USA
View Profile

,
Shalini Ghosh

SRI International, Menlo Park, CA, USA

SRI International, Menlo Park, CA, USA
View Profile

,
Jian Jiang

Tsinghua University, Beijing, China

Tsinghua University, Beijing, China
View Profile

,
Haixin Duan

Tsinghua University, Beijing, China

Tsinghua University, Beijing, China
View Profile

ACM SIGCOMM Computer Communication Review Volume 43 Issue 4October 2013pp 267–278https://doi.org/10.1145/2534169.2486018

Published:27 August 2013Publication History

ACM SIGCOMM Computer Communication Review

Abstract

The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e. , we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

References

Malware Domain Block List. http://www.malwaredomains.com/.Google Scholar
McAfee SiteAdvisor. http://www.siteadvisor.com/.Google Scholar
PhishTank. http://www.phishtank.com/.Google Scholar
Safe Browsing Tool | WOT (Web of Trust). http://www.mywot.com/.Google Scholar
Understanding and preparing for DNS evolution. In Traffic Monitoring and Analysis, volume 6003 of Lecture Notes in Computer Science. 2010. Google ScholarDigital Library
B. Ager, W. Mühlbauer, G. Smaragdakis, and S. Uhlig. Comparing DNS resolvers in the wild. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, 2010. Google ScholarDigital Library
M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Security Symposium, 2010. Google ScholarDigital Library
M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou, and D. Dagon. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium, 2011. Google ScholarDigital Library
M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of dga-based malware. In USENIX Security Symposium, 2012. Google ScholarDigital Library
S. Bhatti and R. Atkinson. Reducing DNS caching. In Computer Communications Workshops, april 2011.Google ScholarCross Ref
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE : Finding malicious domains using passive DNS analysis. In 18th Annual Network and Distributed System Security Symposium, San Diego, 02 2011.Google Scholar
N. Brownlee, k. claffy, and E. Nemeth. DNS measurements at a root server. In IEEE Global Telecommunications Conference (GLOBECOM), Nov 2001.Google ScholarCross Ref
S. Castro, D. Wessels, M. Fomenkov, and K. Claffy. A day at the root of the internet. SIGCOMM Comput. Commun. Rev., 38(5):41--46, Sept. 2008. Google ScholarDigital Library
P. B. Danzig, K. Obraczka, and A. Kumar. An analysis of wide-area name server traffic: a study of the internet domain name system. In Proceedings of the ACM SIGCOMM Conference, 1992. Google ScholarDigital Library
C. J. Dietrich. Feederbot - a bot using DNS as carrier for its C&C. http://blog.cj2s.de/archives/28-Feederbot-a-bot-using-DNS-as-carrier-fo%r-its-CC.html, 2011.Google Scholar
S. Hao, N. Feamster, and R. Pandrangi. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2011. Google ScholarDigital Library
T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Measuring and detecting fast-flux service networks. In Proceedings of Network and Distributed Security Symposium, 2008.Google Scholar
Internet Systems Consortium. Welcome to Security Information Exchange (SIE) Portal. https://sie.isc.org.Google Scholar
J. Jung and E. Sit. An empirical study of spam traffic and the use of DNS blacklists. In Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference, 2004. Google ScholarDigital Library
J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS performance and the effectiveness of caching. IEEE/ACM Transactions on Networking, 10(5):589--603, Oct. 2002. Google ScholarDigital Library
D. Kaminsky. It is the end of the cache as we know it. BlackHat USA, 2008.Google Scholar
M. Konte, N. Feamster, and J. Jung. Dynamics of online scam hosting infrastructure. In Proceedings of Passive and Active Measurement Conference, 2009. Google ScholarDigital Library
Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and Communications Security, 2012. Google ScholarDigital Library
J. Liang, J. Jiang, H. Duan, K. Li, and J. Wu. Measuring query latency of top level DNS servers. In Proceedings of Passive and Active Measurement Conference, 2013. Google ScholarDigital Library
Malware Domain List. Malware Domain List. www.malwaredomainlist.com.Google Scholar
C. D. Manning, P. Raghavan, and H. Schütze. Introduction to Information Retrieval. Cambridge University Press, New York, NY, USA, 2008. Google ScholarDigital Library
MaxMind, Inc. http://www.maxmind.com/.Google Scholar
P. Mockapetris. Domain Names--Concepts and Facilities, RFC 1034. http://www.ietf.org/rfc/rfc1034.txt. Google ScholarDigital Library
P. Mockapetris. Domain Names--Concepts and Facilities, RFC 882. http://www.ietf.org/rfc/rfc882.txt. Google ScholarDigital Library
P. Mockapetris. Domain Names--Implementation and Specification, RFC 1035. http://www.ietf.org/rfc/rfc1035.txt. Google ScholarDigital Library
P. Mockapetris. Domain Names--Implementation and Specification, RFC 883. http://www.ietf.org/rfc/rfc883.txt. Google ScholarDigital Library
C. Mullaney. Morto worm sets a (DNS) record. http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record, 2011.Google Scholar
E. Osterweil, D. McPherson, S. DiBenedetto, C. Papadopoulos, and D. Massey. Behavior of DNS top talkers, a .com/.net view. In Proceedings of Passive and Active Measurement Conference. 2012. Google ScholarDigital Library
J. S. Otto, M. A. Sánchez, J. P. Rula, and F. E. Bustamante. Content delivery and the natural evolution of DNS: remote dns trends, performance issues and alternative solutions. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2012. Google ScholarDigital Library
J. Pang, J. Hendricks, A. Akella, R. De Prisco, B. Maggs, and S. Seshan. Availability, usage, and deployment characteristics of the domain name system. In Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference, 2004. Google ScholarDigital Library
D. Pelleg, A. Moore, et al. X-means: Extending K-means with efficient estimation of the number of clusters. In Proceedings of the 17th International Conference on Machine Learning, volume 1, pages 727--734, 2000. Google ScholarDigital Library
R. Perdisci, I. Corona, D. Dagon, and W. Lee. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference, 2009. Google ScholarDigital Library
M. A. Rajab, F. Monrose, and N. Provos. Peeking through the cloud: Client density estimation via dns cache probing. ACM Transactions on Internet Technologies, 10(3), Oct. 2010. Google ScholarDigital Library
K. Sato, keisuke Ishibashi, T. Toyono, and N. Miyake. Extending black domain name list by using co-occurrence relation between DNS queries. In Proceedings of LEET, 2010. Google ScholarDigital Library
J. Spring, L. Metcalf, and E. Stoner. Correlating domain registrations and DNS first activity in general and for malware. In Securing and Trusting Internet Names, 2011.Google Scholar
J. Stewart. DNS cache poisoning--the next generation, 2003.Google Scholar
D. Wessels and M. Fomenkov. Wow, That's a lot of packets. In Passive and Active Network Measurement Workshop (PAM), San Diego, CA, Apr 2003.Google Scholar
D. Wessels, M. Fomenkov, N. Brownlee, and k. claffy. Measurements and laboratory simulations of the upper DNS hierarchy. In Passive and Active Network Measurement Workshop. 2004.Google ScholarCross Ref
S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, 2010. Google ScholarDigital Library
S. Yadav and A. N. Reddy. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of SecureComm, 2011.Google Scholar
Z. Zhu, V. Yegneswaran, and Y. Chen. Using failure information analysis to detect enterprise zombies. In Proceedings of Securecomm, 2009.Google ScholarCross Ref

Index Terms

An empirical reexamination of global DNS behavior
1. Networks
  1. Network protocols
    1. Application layer protocols

Recommendations

An empirical reexamination of global DNS behavior
SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM

The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-...
Read More
Reexamining DNS from a global recursive resolver perspective

The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 ...
Read More
An empirical study of orphan DNS servers in the internet
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement

An orphan DNS server is a DNS server which has an address record in the DNS, even though the domain in which it resides has no DNS records itself and hence does not exist. For example, the DNS server ns.foo.com would be an orphan DNS server if it had an ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGCOMM Computer Communication Review Volume 43, Issue 4
October 2013
595 pages
ISSN:0146-4833
DOI:10.1145/2534169
Issue’s Table of Contents
SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
August 2013
580 pages
ISBN:9781450320566
DOI:10.1145/2486001
General Chairs:
Dah Ming Chiu
Chinese University of Hong Kong, China
,
Jia Wang
AT&T Labs - Research, USA
,
Program Chairs:
Paul Barford
University of Wisconsin, USA
,
Srinivasan Seshan
Carnegie Mellon University, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 August 2013
Check for updates
Author Tags
dns
malicious domain detection
measurement
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 63
  Total Citations
  View Citations
- 1,173
  Total Downloads
- Downloads (Last 12 months)227
- Downloads (Last 6 weeks)52
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

An empirical reexamination of global DNS behavior

ACM SIGCOMM Computer Communication Review

Abstract

References

Cited By

Index Terms

Recommendations

An empirical reexamination of global DNS behavior

Reexamining DNS from a global recursive resolver perspective

An empirical study of orphan DNS servers in the internet