Reexamining DNS From a Global Recursive Resolver Perspective

The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

[1]  Evi Nemeth,et al.  DNS measurements at a root server , 2001, GLOBECOM'01. IEEE Global Telecommunications Conference (Cat. No.01CH37270).

[2]  Niels Provos,et al.  Peeking Through the Cloud: Client Density Estimation via DNS Cache Probing , 2010, TOIT.

[3]  痛并快乐着 McAfee SiteAdvisor,让我们的搜索更安全 , 2007 .

[4]  Andrew W. Moore,et al.  X-means: Extending K-means with Efficient Estimation of the Number of Clusters , 2000, ICML.

[5]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[6]  Srinivasan Seshan,et al.  Availability, usage, and deployment characteristics of the domain name system , 2004, IMC '04.

[7]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[8]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[9]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[10]  Steven M. Bellovin,et al.  Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[11]  Vinod Yegneswaran,et al.  Using Failure Information Analysis to Detect Enterprise Zombies , 2009, SecureComm.

[12]  John P. Rula,et al.  Content delivery and the natural evolution of DNS: remote dns trends, performance issues and alternative solutions , 2012, Internet Measurement Conference.

[13]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[14]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[15]  Keisuke Ishibashi,et al.  Extending Black Domain Name List by Using Co-occurrence Relation between DNS Queries , 2010, LEET.

[16]  Duane Wessels,et al.  Measurements and Laboratory Simulations of the Upper DNS Hierarchy , 2004, PAM.

[17]  Duane Wessels,et al.  Wow, That's a lot of packets , 2003 .

[18]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[19]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[20]  Jonathan M. Spring,et al.  Correlating domain registrations and DNS first activity in general and for malware , 2011 .

[21]  Jianping Wu,et al.  Measuring Query Latency of Top Level DNS Servers , 2013, PAM.

[22]  Peter B. Danzig,et al.  An analysis of wide-area name server traffic: a study of the Internet Domain Name System , 1992, SIGCOMM '92.

[23]  Sandeep Yadav,et al.  Winning with DNS Failures: Strategies for Faster Botnet Detection , 2011, SecureComm.

[24]  Nick Feamster,et al.  Monitoring the initial DNS behavior of malicious domains , 2011, IMC '11.

[25]  Christopher D. Manning,et al.  Introduction to Information Retrieval , 2010, J. Assoc. Inf. Sci. Technol..

[26]  Fang Yu,et al.  Knowing your enemy: understanding and detecting malicious web advertising , 2012, CCS '12.

[27]  Daniel Massey,et al.  Quantifying the operational status of the DNSSEC deployment , 2008, IMC '08.

[28]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[29]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[30]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[31]  Daniel Massey,et al.  Behavior of DNS' Top Talkers, a .com/.net View , 2012, PAM.

[32]  Emil Sit,et al.  An empirical study of spam traffic and the use of DNS black lists , 2004, IMC '04.

[33]  Min Zhang,et al.  Understanding and Preparing for DNS Evolution , 2010, TMA.

[34]  Wolfgang Mühlbauer,et al.  Comparing DNS resolvers in the wild , 2010, IMC '10.

[35]  Wenke Lee,et al.  Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces , 2009, 2009 Annual Computer Security Applications Conference.

[36]  G. W. Stewart Dns cache poisoning-the next generation , 2003 .

[37]  Duane Wessels,et al.  A day at the root of the internet , 2008, CCRV.

[38]  Nick Feamster,et al.  Dynamics of Online Scam Hosting Infrastructure , 2009, PAM.

[39]  Saleem N. Bhatti,et al.  Reducing DNS caching , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[40]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.