Exploring Domain Name Based Features on the Effectiveness of DNS Caching

DNS cache plays a critical role in domain name resolution, providing (1) high scalability at Root and Top-level-domain (TLD) name servers with reduced workloads and (2) low response latency to clients when the resource records of the queried domains are cached. However, the pervasive misuses of domain names, e.g., the domains of ``one-time-use'' pattern, have negative impact on the effectiveness of DNS caching as the cache has been filled with those entries that are highly unlikely to be retrieved. In this paper, we investigate such misuse and identify domain name-based features to characterize those one-time domains. By leveraging the features that are explicitly available from the domain name itself, we build a classifier to combine these features, propose simple policy modifications on caching resolvers for improving DNS cache performance, and validate their efficacy using real traces.

[1]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[2]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[3]  Mischa Schwartz,et al.  ACM SIGCOMM computer communication review , 2001, CCRV.

[4]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[5]  Ron Aitchison BIND 9 Configuration Reference , 2011 .

[6]  Hari Balakrishnan,et al.  Modeling TTL-based Internet caches , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[7]  Sara Alouf,et al.  Modeling modern DNS caches , 2013, VALUETOOLS.

[8]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[9]  Edith Cohen,et al.  Proactive caching of DNS records: addressing a performance bottleneck , 2001, Proceedings 2001 Symposium on Applications and the Internet.

[10]  Duane Wessels,et al.  Measurements and Laboratory Simulations of the Upper DNS Hierarchy , 2004, PAM.

[11]  Daniel T. Larose,et al.  Discovering Knowledge in Data: An Introduction to Data Mining , 2005 .

[12]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[13]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[14]  Anees Shaikh,et al.  On the responsiveness of DNS-based network control , 2004, IMC '04.

[15]  Mark P. Andrews,et al.  Negative Caching of DNS Queries (DNS NCACHE) , 1998, RFC.

[16]  Paul Francis,et al.  Mitigating DNS DoS attacks , 2008, CCS.

[17]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[18]  Vern Paxson,et al.  Practical Comprehensive Bounds on Surreptitious Communication over DNS , 2013, USENIX Security Symposium.

[19]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[20]  Nick Feamster,et al.  Understanding the domain registration behavior of spammers , 2013, Internet Measurement Conference.

[21]  Yizheng Chen,et al.  DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[22]  Vipin Kumar,et al.  Introduction to Data Mining, (First Edition) , 2005 .

[23]  Vinod Yegneswaran,et al.  An empirical reexamination of global DNS behavior , 2013, SIGCOMM.

[24]  Srinivasan Seshan,et al.  Availability, usage, and deployment characteristics of the domain name system , 2004, IMC '04.

[25]  Craig E. Wills,et al.  Piggybacking related domain names to improve DNS performance , 2006, Comput. Networks.

[26]  Mark Allman,et al.  On modern DNS behavior and properties , 2013, CCRV.