Abstract
The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e. , we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.
- Malware Domain Block List. http://www.malwaredomains.com/.Google Scholar
- McAfee SiteAdvisor. http://www.siteadvisor.com/.Google Scholar
- PhishTank. http://www.phishtank.com/.Google Scholar
- Safe Browsing Tool | WOT (Web of Trust). http://www.mywot.com/.Google Scholar
- Understanding and preparing for DNS evolution. In Traffic Monitoring and Analysis, volume 6003 of Lecture Notes in Computer Science. 2010. Google ScholarDigital Library
- B. Ager, W. Mühlbauer, G. Smaragdakis, and S. Uhlig. Comparing DNS resolvers in the wild. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, 2010. Google ScholarDigital Library
- M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Security Symposium, 2010. Google ScholarDigital Library
- M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou, and D. Dagon. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium, 2011. Google ScholarDigital Library
- M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of dga-based malware. In USENIX Security Symposium, 2012. Google ScholarDigital Library
- S. Bhatti and R. Atkinson. Reducing DNS caching. In Computer Communications Workshops, april 2011.Google ScholarCross Ref
- L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE : Finding malicious domains using passive DNS analysis. In 18th Annual Network and Distributed System Security Symposium, San Diego, 02 2011.Google Scholar
- N. Brownlee, k. claffy, and E. Nemeth. DNS measurements at a root server. In IEEE Global Telecommunications Conference (GLOBECOM), Nov 2001.Google ScholarCross Ref
- S. Castro, D. Wessels, M. Fomenkov, and K. Claffy. A day at the root of the internet. SIGCOMM Comput. Commun. Rev., 38(5):41--46, Sept. 2008. Google ScholarDigital Library
- P. B. Danzig, K. Obraczka, and A. Kumar. An analysis of wide-area name server traffic: a study of the internet domain name system. In Proceedings of the ACM SIGCOMM Conference, 1992. Google ScholarDigital Library
- C. J. Dietrich. Feederbot - a bot using DNS as carrier for its C&C. http://blog.cj2s.de/archives/28-Feederbot-a-bot-using-DNS-as-carrier-fo%r-its-CC.html, 2011.Google Scholar
- S. Hao, N. Feamster, and R. Pandrangi. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2011. Google ScholarDigital Library
- T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Measuring and detecting fast-flux service networks. In Proceedings of Network and Distributed Security Symposium, 2008.Google Scholar
- Internet Systems Consortium. Welcome to Security Information Exchange (SIE) Portal. https://sie.isc.org.Google Scholar
- J. Jung and E. Sit. An empirical study of spam traffic and the use of DNS blacklists. In Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference, 2004. Google ScholarDigital Library
- J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS performance and the effectiveness of caching. IEEE/ACM Transactions on Networking, 10(5):589--603, Oct. 2002. Google ScholarDigital Library
- D. Kaminsky. It is the end of the cache as we know it. BlackHat USA, 2008.Google Scholar
- M. Konte, N. Feamster, and J. Jung. Dynamics of online scam hosting infrastructure. In Proceedings of Passive and Active Measurement Conference, 2009. Google ScholarDigital Library
- Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and Communications Security, 2012. Google ScholarDigital Library
- J. Liang, J. Jiang, H. Duan, K. Li, and J. Wu. Measuring query latency of top level DNS servers. In Proceedings of Passive and Active Measurement Conference, 2013. Google ScholarDigital Library
- Malware Domain List. Malware Domain List. www.malwaredomainlist.com.Google Scholar
- C. D. Manning, P. Raghavan, and H. Schütze. Introduction to Information Retrieval. Cambridge University Press, New York, NY, USA, 2008. Google ScholarDigital Library
- MaxMind, Inc. http://www.maxmind.com/.Google Scholar
- P. Mockapetris. Domain Names--Concepts and Facilities, RFC 1034. http://www.ietf.org/rfc/rfc1034.txt. Google ScholarDigital Library
- P. Mockapetris. Domain Names--Concepts and Facilities, RFC 882. http://www.ietf.org/rfc/rfc882.txt. Google ScholarDigital Library
- P. Mockapetris. Domain Names--Implementation and Specification, RFC 1035. http://www.ietf.org/rfc/rfc1035.txt. Google ScholarDigital Library
- P. Mockapetris. Domain Names--Implementation and Specification, RFC 883. http://www.ietf.org/rfc/rfc883.txt. Google ScholarDigital Library
- C. Mullaney. Morto worm sets a (DNS) record. http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record, 2011.Google Scholar
- E. Osterweil, D. McPherson, S. DiBenedetto, C. Papadopoulos, and D. Massey. Behavior of DNS top talkers, a .com/.net view. In Proceedings of Passive and Active Measurement Conference. 2012. Google ScholarDigital Library
- J. S. Otto, M. A. Sánchez, J. P. Rula, and F. E. Bustamante. Content delivery and the natural evolution of DNS: remote dns trends, performance issues and alternative solutions. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2012. Google ScholarDigital Library
- J. Pang, J. Hendricks, A. Akella, R. De Prisco, B. Maggs, and S. Seshan. Availability, usage, and deployment characteristics of the domain name system. In Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference, 2004. Google ScholarDigital Library
- D. Pelleg, A. Moore, et al. X-means: Extending K-means with efficient estimation of the number of clusters. In Proceedings of the 17th International Conference on Machine Learning, volume 1, pages 727--734, 2000. Google ScholarDigital Library
- R. Perdisci, I. Corona, D. Dagon, and W. Lee. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference, 2009. Google ScholarDigital Library
- M. A. Rajab, F. Monrose, and N. Provos. Peeking through the cloud: Client density estimation via dns cache probing. ACM Transactions on Internet Technologies, 10(3), Oct. 2010. Google ScholarDigital Library
- K. Sato, keisuke Ishibashi, T. Toyono, and N. Miyake. Extending black domain name list by using co-occurrence relation between DNS queries. In Proceedings of LEET, 2010. Google ScholarDigital Library
- J. Spring, L. Metcalf, and E. Stoner. Correlating domain registrations and DNS first activity in general and for malware. In Securing and Trusting Internet Names, 2011.Google Scholar
- J. Stewart. DNS cache poisoning--the next generation, 2003.Google Scholar
- D. Wessels and M. Fomenkov. Wow, That's a lot of packets. In Passive and Active Network Measurement Workshop (PAM), San Diego, CA, Apr 2003.Google Scholar
- D. Wessels, M. Fomenkov, N. Brownlee, and k. claffy. Measurements and laboratory simulations of the upper DNS hierarchy. In Passive and Active Network Measurement Workshop. 2004.Google ScholarCross Ref
- S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, 2010. Google ScholarDigital Library
- S. Yadav and A. N. Reddy. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of SecureComm, 2011.Google Scholar
- Z. Zhu, V. Yegneswaran, and Y. Chen. Using failure information analysis to detect enterprise zombies. In Proceedings of Securecomm, 2009.Google ScholarCross Ref
Index Terms
- An empirical reexamination of global DNS behavior
Recommendations
An empirical reexamination of global DNS behavior
SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMMThe performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-...
Reexamining DNS from a global recursive resolver perspective
The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 ...
An empirical study of orphan DNS servers in the internet
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurementAn orphan DNS server is a DNS server which has an address record in the DNS, even though the domain in which it resides has no DNS records itself and hence does not exist. For example, the DNS server ns.foo.com would be an orphan DNS server if it had an ...
Comments