Role Identification of Domain Name Server Using Machine Learning based on DNS Response Features

The Domain Name System (DNS) plays an important role in the Internet by mapping domains to IP addresses. Numerous authoritative name servers and recursive resolvers form the DNS service infrastructure. Accurate identifying the role of the DNS server is of great importance for understanding the DNS infrastructure and performing security analysis. Previous research has proposed some methods for DNS server identification. Most of them are active methods which bring additional bandwidth and security risks; the non-negligible complex configuration of DNS servers in the actual network makes the results of passive approach using the DNS message header fields "AA" and "RA" unsatisfactory. This paper proposes a machine learning method to classify the typical role of the DNS server in a passive manner. Classifiers are trained by three categories of features extracted solely from passive DNS response records (removing the user information) and the experiment results show that the proposed method can achieve high accurate and low false positive rate.