Yuta Kazato
ABSTRACT
We analyze domain name system (DNS) errors (i.e., ServFail, Refused and NX Domain errors) in DNS traffic captured at an external connection link of an academic network in Japan and attempt to understand the causes of such errors. Because DNS errors that are responses to erroneous queries have a large impact on DNS traffic, we should reduce as many of them as possible. First, we show that ServFail and Refused errors are generated by queries from a small number of local resolvers and authoritative nameservers that do not relate to ordinary users. Second, we demonstrate that NX Domain errors have several query patterns due to mostly anti-virus/anti-spam systems as well as meaningless queries (i.e., mis-configuration). By analyzing erroneous queries leading to NX Domain errors with the proposed heuristic rules to identify the main causes of such errors, we successfully classify them into nine groups that cover approximately 90% of NX Domain errors with a low false positive rate. Furthermore, we find malicious domain names similar to Japanese SNS sites from the results. We discuss the main causes of these DNS errors and how to reduce them from the results of our analysis.
- M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou II, and D. Dagon. Detecting Malware Domains at the Upper DNS Hierarchy. In USENIX Security Symposium, page 16, 2011. Google Scholar
Digital Library
- L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In NDSS, page 17, 2011.Google Scholar
- N. Brownlee, K. Claffy, and E. Nemeth. DNS Root/gTLD performance measurements. USENIX LISA, pages 241--256, 2001.Google Scholar
- S. Castro, D. Wessels, M. Fomenkov, and K. Claffy. A Day at the Root of the Internet. ACM SIGCOMM Computer Communication Review, 38(5):41--46, 2008. Google ScholarDigital Library
- K. Fujiwara, A. Sato, and K. Yoshida. DNS Traffic Analysis: Issues of IPv6 and CDN. In SAINT 2012, pages 129--137, 2012. Google ScholarDigital Library
- H. Gao, V. Yegneswaran, Y. Chen, P. Porras, S. Ghosh, J. Jiang, and H. Duan. An empirical reexamination of global DNS behavior. In SIGCOMM'13, pages 267--278, 2013. Google ScholarDigital Library
- S. Hao, N. Feamster, and R. Pandrangi. Monitoring the initial DNS behavior of malicious domains. In IMC'11, pages 269--278, 2011. Google ScholarDigital Library
- K. Ishibashi and K. Sato. Classifying DNS heavy user traffic by using hierarchical aggregate entropy. In WTC 2012, pages 1--6, 2012.Google Scholar
- N. Jiang, J. Cao, Y. Jin, L. E. Li, and Z.-L. Zhang. Identifying suspicious activities through DNS failure graph analysis. In ICNP 2010, pages 144--153, 2010. Google ScholarDigital Library
- A. Kalafut, M. Gupta, C. Cole, L. Chen, and N. Myers. An empirical study of orphan DNS servers in the internet. In IMC'10, pages 308--314, 2010. Google ScholarDigital Library
- P. Vixie. AS112 project. http://www.as112.net/.Google Scholar
- V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis, and L. Zhang. Impact of configuration errors on DNS robustness. In SIGCOMM'04, pages 319--330, 2004. Google ScholarDigital Library
- D. Plonka and P. Barford. Context-aware clustering of DNS query traffic. In IMC'08, pages 217--230, 2008. Google ScholarDigital Library
- D. Wessels and M. Fomenkov. Wow, that's a lot of packets. In PAM'03, page 9, 2003.Google Scholar
- S. Yadav, A. Reddy, A. Reddy, and S. Ranjan. Detecting algorithmically generated malicious domain names. In IMC'10, pages 48--61, 2010. Google ScholarDigital Library
- B. Zdrnja, N. Brownlee, and D. Wessels. Passive Monitoring of DNS Anomalies. In DIMVA'07, pages 129--139, 2007. Google ScholarDigital Library
Index Terms
- Towards classification of DNS erroneous queries
Recommendations
Securing DNS: Extending DNS Servers with a DNSSEC Validator
DNS Security Extensions (DNSSEC) is a proposed standard for securely authenticating information in the Domain Name System. DNSSEC validators check the digital signatures on DNS data. However, designing a validator worth the operational costs is a ...
Practical Challenge-Response for DNS
ANRW '18: Proceedings of the Applied Networking Research WorkshopAuthoritative DNS nameservers are vulnerable to being used in denial of service attacks whereby an attacker sends DNS queries while masquerading as a victim---hence coaxing the DNS server to send the responses to the victim. Reflecting off innocent DNS ...
Practical challenge-response for DNS
Authoritative DNS servers are susceptible to being leveraged in denial of service attacks in which the attacker sends DNS queries while masquerading as a victim---and hence causing the DNS server to send the responses to the victim. This reflection off ...
Comments