skip to main content
10.1145/2486001.2486018acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
research-article
Free access

An empirical reexamination of global DNS behavior

Published: 27 August 2013 Publication History

Abstract

The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

References

[1]
Malware Domain Block List. http://www.malwaredomains.com/.
[2]
McAfee SiteAdvisor. http://www.siteadvisor.com/.
[3]
PhishTank. http://www.phishtank.com/.
[4]
Safe Browsing Tool | WOT (Web of Trust). http://www.mywot.com/.
[5]
Understanding and preparing for DNS evolution. In Traffic Monitoring and Analysis, volume 6003 of Lecture Notes in Computer Science. 2010.
[6]
B. Ager, W. Mühlbauer, G. Smaragdakis, and S. Uhlig. Comparing DNS resolvers in the wild. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, 2010.
[7]
M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Security Symposium, 2010.
[8]
M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou, and D. Dagon. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium, 2011.
[9]
M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of dga-based malware. In USENIX Security Symposium, 2012.
[10]
S. Bhatti and R. Atkinson. Reducing DNS caching. In Computer Communications Workshops, april 2011.
[11]
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE : Finding malicious domains using passive DNS analysis. In 18th Annual Network and Distributed System Security Symposium, San Diego, 02 2011.
[12]
N. Brownlee, k. claffy, and E. Nemeth. DNS measurements at a root server. In IEEE Global Telecommunications Conference (GLOBECOM), Nov 2001.
[13]
S. Castro, D. Wessels, M. Fomenkov, and K. Claffy. A day at the root of the internet. SIGCOMM Comput. Commun. Rev., 38(5):41--46, Sept. 2008.
[14]
P. B. Danzig, K. Obraczka, and A. Kumar. An analysis of wide-area name server traffic: a study of the internet domain name system. In Proceedings of the ACM SIGCOMM Conference, 1992.
[15]
C. J. Dietrich. Feederbot - a bot using DNS as carrier for its C&C. http://blog.cj2s.de/archives/28-Feederbot-a-bot-using-DNS-as-carrier-fo%r-its-CC.html, 2011.
[16]
S. Hao, N. Feamster, and R. Pandrangi. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2011.
[17]
T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Measuring and detecting fast-flux service networks. In Proceedings of Network and Distributed Security Symposium, 2008.
[18]
Internet Systems Consortium. Welcome to Security Information Exchange (SIE) Portal. https://sie.isc.org.
[19]
J. Jung and E. Sit. An empirical study of spam traffic and the use of DNS blacklists. In Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference, 2004.
[20]
J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS performance and the effectiveness of caching. IEEE/ACM Transactions on Networking, 10(5):589--603, Oct. 2002.
[21]
D. Kaminsky. It is the end of the cache as we know it. BlackHat USA, 2008.
[22]
M. Konte, N. Feamster, and J. Jung. Dynamics of online scam hosting infrastructure. In Proceedings of Passive and Active Measurement Conference, 2009.
[23]
Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and Communications Security, 2012.
[24]
J. Liang, J. Jiang, H. Duan, K. Li, and J. Wu. Measuring query latency of top level DNS servers. In Proceedings of Passive and Active Measurement Conference, 2013.
[25]
Malware Domain List. Malware Domain List. www.malwaredomainlist.com.
[26]
C. D. Manning, P. Raghavan, and H. Schütze. Introduction to Information Retrieval. Cambridge University Press, New York, NY, USA, 2008.
[27]
MaxMind, Inc. http://www.maxmind.com/.
[28]
P. Mockapetris. Domain Names--Concepts and Facilities, RFC 1034. http://www.ietf.org/rfc/rfc1034.txt.
[29]
P. Mockapetris. Domain Names--Concepts and Facilities, RFC 882. http://www.ietf.org/rfc/rfc882.txt.
[30]
P. Mockapetris. Domain Names--Implementation and Specification, RFC 1035. http://www.ietf.org/rfc/rfc1035.txt.
[31]
P. Mockapetris. Domain Names--Implementation and Specification, RFC 883. http://www.ietf.org/rfc/rfc883.txt.
[32]
C. Mullaney. Morto worm sets a (DNS) record. http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record, 2011.
[33]
E. Osterweil, D. McPherson, S. DiBenedetto, C. Papadopoulos, and D. Massey. Behavior of DNS top talkers, a .com/.net view. In Proceedings of Passive and Active Measurement Conference. 2012.
[34]
J. S. Otto, M. A. Sánchez, J. P. Rula, and F. E. Bustamante. Content delivery and the natural evolution of DNS: remote dns trends, performance issues and alternative solutions. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2012.
[35]
J. Pang, J. Hendricks, A. Akella, R. De Prisco, B. Maggs, and S. Seshan. Availability, usage, and deployment characteristics of the domain name system. In Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference, 2004.
[36]
D. Pelleg, A. Moore, et al. X-means: Extending K-means with efficient estimation of the number of clusters. In Proceedings of the 17th International Conference on Machine Learning, volume 1, pages 727--734, 2000.
[37]
R. Perdisci, I. Corona, D. Dagon, and W. Lee. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference, 2009.
[38]
M. A. Rajab, F. Monrose, and N. Provos. Peeking through the cloud: Client density estimation via dns cache probing. ACM Transactions on Internet Technologies, 10(3), Oct. 2010.
[39]
K. Sato, keisuke Ishibashi, T. Toyono, and N. Miyake. Extending black domain name list by using co-occurrence relation between DNS queries. In Proceedings of LEET, 2010.
[40]
J. Spring, L. Metcalf, and E. Stoner. Correlating domain registrations and DNS first activity in general and for malware. In Securing and Trusting Internet Names, 2011.
[41]
J. Stewart. DNS cache poisoning--the next generation, 2003.
[42]
D. Wessels and M. Fomenkov. Wow, That's a lot of packets. In Passive and Active Network Measurement Workshop (PAM), San Diego, CA, Apr 2003.
[43]
D. Wessels, M. Fomenkov, N. Brownlee, and k. claffy. Measurements and laboratory simulations of the upper DNS hierarchy. In Passive and Active Network Measurement Workshop. 2004.
[44]
S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, 2010.
[45]
S. Yadav and A. N. Reddy. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of SecureComm, 2011.
[46]
Z. Zhu, V. Yegneswaran, and Y. Chen. Using failure information analysis to detect enterprise zombies. In Proceedings of Securecomm, 2009.

Cited By

View all
  • (2024)RIPEn at Home - Surveying Internal Domain Names Using RIPE Atlas2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559012(1-4)Online publication date: 21-May-2024
  • (2024)hyDNS: Acceleration of DNS Through Kernel Space ResolutionProceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel Extensions10.1145/3672197.3673439(58-64)Online publication date: 4-Aug-2024
  • (2024)The Roots Go Deep: Measuring '.' Under ChangeProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689008(441-453)Online publication date: 4-Nov-2024
  • Show More Cited By

Index Terms

  1. An empirical reexamination of global DNS behavior

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
    August 2013
    580 pages
    ISBN:9781450320566
    DOI:10.1145/2486001
    • cover image ACM SIGCOMM Computer Communication Review
      ACM SIGCOMM Computer Communication Review  Volume 43, Issue 4
      October 2013
      595 pages
      ISSN:0146-4833
      DOI:10.1145/2534169
      Issue’s Table of Contents
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 27 August 2013

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. dns
    2. malicious domain detection
    3. measurement

    Qualifiers

    • Research-article

    Conference

    SIGCOMM'13
    Sponsor:
    SIGCOMM'13: ACM SIGCOMM 2013 Conference
    August 12 - 16, 2013
    Hong Kong, China

    Acceptance Rates

    SIGCOMM '13 Paper Acceptance Rate 38 of 246 submissions, 15%;
    Overall Acceptance Rate 462 of 3,389 submissions, 14%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)278
    • Downloads (Last 6 weeks)26
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)RIPEn at Home - Surveying Internal Domain Names Using RIPE Atlas2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10559012(1-4)Online publication date: 21-May-2024
    • (2024)hyDNS: Acceleration of DNS Through Kernel Space ResolutionProceedings of the ACM SIGCOMM 2024 Workshop on eBPF and Kernel Extensions10.1145/3672197.3673439(58-64)Online publication date: 4-Aug-2024
    • (2024)The Roots Go Deep: Measuring '.' Under ChangeProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689008(441-453)Online publication date: 4-Nov-2024
    • (2024)Dom-BERT: Detecting Malicious Domains with Pre-training ModelPassive and Active Measurement10.1007/978-3-031-56249-5_6(133-158)Online publication date: 11-Mar-2024
    • (2023)GAT-DNS: DNS Multivariate Time Series Prediction Model Based on Graph Attention NetworkCompanion Proceedings of the ACM Web Conference 202310.1145/3543873.3587329(127-131)Online publication date: 30-Apr-2023
    • (2023)Extraction and Prediction of User Communication Behaviors From DNS Query Logs Based on Nonnegative Tensor FactorizationIEEE Transactions on Network and Service Management10.1109/TNSM.2023.323885820:3(2611-2624)Online publication date: Sep-2023
    • (2023)Enterprise DNS Asset Mapping and Cyber-Health Tracking via Passive Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2022.322198120:3(3699-3716)Online publication date: Sep-2023
    • (2022)DNS Request Log Analysis of Universities in Shanghai: A CDN Service Provider’s PerspectiveInformation10.3390/info1311054213:11(542)Online publication date: 15-Nov-2022
    • (2022)A Large-Scale Behavioral Analysis of the Open DNS Resolvers on the InternetIEEE/ACM Transactions on Networking10.1109/TNET.2021.310559930:1(76-89)Online publication date: Feb-2022
    • (2022)A Comprehensive Study of DNS Operational Issues by Mining DNS ForumsIEEE Access10.1109/ACCESS.2022.321575310(110807-110820)Online publication date: 2022
    • Show More Cited By

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media