skip to main content
research-article

An empirical reexamination of global DNS behavior

Published: 27 August 2013 Publication History

Abstract

The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

References

[1]
Malware Domain Block List. http://www.malwaredomains.com/.
[2]
McAfee SiteAdvisor. http://www.siteadvisor.com/.
[3]
PhishTank. http://www.phishtank.com/.
[4]
Safe Browsing Tool | WOT (Web of Trust). http://www.mywot.com/.
[5]
Understanding and preparing for DNS evolution. In Traffic Monitoring and Analysis, volume 6003 of Lecture Notes in Computer Science. 2010.
[6]
B. Ager, W. Mühlbauer, G. Smaragdakis, and S. Uhlig. Comparing DNS resolvers in the wild. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, 2010.
[7]
M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Security Symposium, 2010.
[8]
M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou, and D. Dagon. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium, 2011.
[9]
M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of dga-based malware. In USENIX Security Symposium, 2012.
[10]
S. Bhatti and R. Atkinson. Reducing DNS caching. In Computer Communications Workshops, april 2011.
[11]
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE : Finding malicious domains using passive DNS analysis. In 18th Annual Network and Distributed System Security Symposium, San Diego, 02 2011.
[12]
N. Brownlee, k. claffy, and E. Nemeth. DNS measurements at a root server. In IEEE Global Telecommunications Conference (GLOBECOM), Nov 2001.
[13]
S. Castro, D. Wessels, M. Fomenkov, and K. Claffy. A day at the root of the internet. SIGCOMM Comput. Commun. Rev., 38(5):41--46, Sept. 2008.
[14]
P. B. Danzig, K. Obraczka, and A. Kumar. An analysis of wide-area name server traffic: a study of the internet domain name system. In Proceedings of the ACM SIGCOMM Conference, 1992.
[15]
C. J. Dietrich. Feederbot - a bot using DNS as carrier for its C&C. http://blog.cj2s.de/archives/28-Feederbot-a-bot-using-DNS-as-carrier-fo%r-its-CC.html, 2011.
[16]
S. Hao, N. Feamster, and R. Pandrangi. Monitoring the initial DNS behavior of malicious domains. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2011.
[17]
T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Measuring and detecting fast-flux service networks. In Proceedings of Network and Distributed Security Symposium, 2008.
[18]
Internet Systems Consortium. Welcome to Security Information Exchange (SIE) Portal. https://sie.isc.org.
[19]
J. Jung and E. Sit. An empirical study of spam traffic and the use of DNS blacklists. In Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference, 2004.
[20]
J. Jung, E. Sit, H. Balakrishnan, and R. Morris. DNS performance and the effectiveness of caching. IEEE/ACM Transactions on Networking, 10(5):589--603, Oct. 2002.
[21]
D. Kaminsky. It is the end of the cache as we know it. BlackHat USA, 2008.
[22]
M. Konte, N. Feamster, and J. Jung. Dynamics of online scam hosting infrastructure. In Proceedings of Passive and Active Measurement Conference, 2009.
[23]
Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and Communications Security, 2012.
[24]
J. Liang, J. Jiang, H. Duan, K. Li, and J. Wu. Measuring query latency of top level DNS servers. In Proceedings of Passive and Active Measurement Conference, 2013.
[25]
Malware Domain List. Malware Domain List. www.malwaredomainlist.com.
[26]
C. D. Manning, P. Raghavan, and H. Schütze. Introduction to Information Retrieval. Cambridge University Press, New York, NY, USA, 2008.
[27]
MaxMind, Inc. http://www.maxmind.com/.
[28]
P. Mockapetris. Domain Names--Concepts and Facilities, RFC 1034. http://www.ietf.org/rfc/rfc1034.txt.
[29]
P. Mockapetris. Domain Names--Concepts and Facilities, RFC 882. http://www.ietf.org/rfc/rfc882.txt.
[30]
P. Mockapetris. Domain Names--Implementation and Specification, RFC 1035. http://www.ietf.org/rfc/rfc1035.txt.
[31]
P. Mockapetris. Domain Names--Implementation and Specification, RFC 883. http://www.ietf.org/rfc/rfc883.txt.
[32]
C. Mullaney. Morto worm sets a (DNS) record. http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record, 2011.
[33]
E. Osterweil, D. McPherson, S. DiBenedetto, C. Papadopoulos, and D. Massey. Behavior of DNS top talkers, a .com/.net view. In Proceedings of Passive and Active Measurement Conference. 2012.
[34]
J. S. Otto, M. A. Sánchez, J. P. Rula, and F. E. Bustamante. Content delivery and the natural evolution of DNS: remote dns trends, performance issues and alternative solutions. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2012.
[35]
J. Pang, J. Hendricks, A. Akella, R. De Prisco, B. Maggs, and S. Seshan. Availability, usage, and deployment characteristics of the domain name system. In Proceedings of the 4th ACM SIGCOMM Internet Measurement Conference, 2004.
[36]
D. Pelleg, A. Moore, et al. X-means: Extending K-means with efficient estimation of the number of clusters. In Proceedings of the 17th International Conference on Machine Learning, volume 1, pages 727--734, 2000.
[37]
R. Perdisci, I. Corona, D. Dagon, and W. Lee. Detecting malicious flux service networks through passive analysis of recursive DNS traces. In Proceedings of the Annual Computer Security Applications Conference, 2009.
[38]
M. A. Rajab, F. Monrose, and N. Provos. Peeking through the cloud: Client density estimation via dns cache probing. ACM Transactions on Internet Technologies, 10(3), Oct. 2010.
[39]
K. Sato, keisuke Ishibashi, T. Toyono, and N. Miyake. Extending black domain name list by using co-occurrence relation between DNS queries. In Proceedings of LEET, 2010.
[40]
J. Spring, L. Metcalf, and E. Stoner. Correlating domain registrations and DNS first activity in general and for malware. In Securing and Trusting Internet Names, 2011.
[41]
J. Stewart. DNS cache poisoning--the next generation, 2003.
[42]
D. Wessels and M. Fomenkov. Wow, That's a lot of packets. In Passive and Active Network Measurement Workshop (PAM), San Diego, CA, Apr 2003.
[43]
D. Wessels, M. Fomenkov, N. Brownlee, and k. claffy. Measurements and laboratory simulations of the upper DNS hierarchy. In Passive and Active Network Measurement Workshop. 2004.
[44]
S. Yadav, A. K. K. Reddy, A. N. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In Proceedings of the 10th ACM SIGCOMM Internet Measurement Conference, 2010.
[45]
S. Yadav and A. N. Reddy. Winning with DNS failures: Strategies for faster botnet detection. In Proceedings of SecureComm, 2011.
[46]
Z. Zhu, V. Yegneswaran, and Y. Chen. Using failure information analysis to detect enterprise zombies. In Proceedings of Securecomm, 2009.

Cited By

View all
  • (2023)Fourteen years in the lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620415(3171-3186)Online publication date: 9-Aug-2023
  • (2022)A Byte-level Autoencoder-based Method to Detect Malicious Open Resolver2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD54268.2022.9776266(317-322)Online publication date: 4-May-2022
  • (2021)Security Analysis of DNS Open Resolvers by Continuous and Ambulatory Detection2021 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC53001.2021.9631522(1-7)Online publication date: 5-Sep-2021
  • Show More Cited By

Index Terms

  1. An empirical reexamination of global DNS behavior

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM SIGCOMM Computer Communication Review
    ACM SIGCOMM Computer Communication Review  Volume 43, Issue 4
    October 2013
    595 pages
    ISSN:0146-4833
    DOI:10.1145/2534169
    Issue’s Table of Contents
    • cover image ACM Conferences
      SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
      August 2013
      580 pages
      ISBN:9781450320566
      DOI:10.1145/2486001
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 27 August 2013
    Published in SIGCOMM-CCR Volume 43, Issue 4

    Check for updates

    Author Tags

    1. dns
    2. malicious domain detection
    3. measurement

    Qualifiers

    • Research-article

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)278
    • Downloads (Last 6 weeks)26
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)Fourteen years in the lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620415(3171-3186)Online publication date: 9-Aug-2023
    • (2022)A Byte-level Autoencoder-based Method to Detect Malicious Open Resolver2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD54268.2022.9776266(317-322)Online publication date: 4-May-2022
    • (2021)Security Analysis of DNS Open Resolvers by Continuous and Ambulatory Detection2021 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC53001.2021.9631522(1-7)Online publication date: 5-Sep-2021
    • (2020)Domain name system security and privacy: A contemporary surveyComputer Networks10.1016/j.comnet.2020.107699(107699)Online publication date: Dec-2020
    • (2020)A Practical Machine Learning-Based Framework to Detect DNS Covert Communication in EnterprisesSecurity and Privacy in Communication Networks10.1007/978-3-030-63095-9_1(1-21)Online publication date: 12-Dec-2020
    • (2020)Large-Scale Internet User Behavior Analysis of a Nationwide K-12 Education Network Based on DNS QueriesComputational Science and Its Applications – ICCSA 202010.1007/978-3-030-58799-4_56(776-791)Online publication date: 1-Oct-2020
    • (2020)Comparison of DNS Based Methods for Detecting Malicious DomainsCyber Security Cryptography and Machine Learning10.1007/978-3-030-49785-9_14(219-236)Online publication date: 25-Jun-2020
    • (2019)Below the Radar: Spotting DNS Tunnels in Newly Observed Hostnames in the Wild2019 APWG Symposium on Electronic Crime Research (eCrime)10.1109/eCrime47957.2019.9037595(1-15)Online publication date: Nov-2019
    • (2019)An Analysis of Anomalous User Agent Strings in Network Traffic2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS)10.1109/HPCC/SmartCity/DSS.2019.00243(1771-1778)Online publication date: Aug-2019
    • (2019)Detecting Malicious Domains Using Modified SVM Model2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS)10.1109/HPCC/SmartCity/DSS.2019.00079(492-499)Online publication date: Aug-2019
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media