An analysis of wide-area name server traffic: a study of the Internet Domain Name System
SIGCOMM '92 Conference proceedings on Communications architectures & protocols
DNS performance and the effectiveness of caching
IEEE/ACM Transactions on Networking (TON)
X-means: Extending K-means with Efficient Estimation of the Number of Clusters
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Availability, usage, and deployment characteristics of the domain name system
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
An empirical study of spam traffic and the use of DNS black lists
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Introduction to Information Retrieval
Introduction to Information Retrieval
A day at the root of the internet
ACM SIGCOMM Computer Communication Review
Dynamics of Online Scam Hosting Infrastructure
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Peeking Through the Cloud: Client Density Estimation via DNS Cache Probing
ACM Transactions on Internet Technology (TOIT)
Extending black domain name list by using co-occurrence relation between DNS queries
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Comparing DNS resolvers in the wild
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Detecting algorithmically generated malicious domain names
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Building a dynamic reputation system for DNS
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Detecting malware domains at the upper DNS hierarchy
SEC'11 Proceedings of the 20th USENIX conference on Security
Monitoring the initial DNS behavior of malicious domains
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Understanding and preparing for DNS evolution
TMA'10 Proceedings of the Second international conference on Traffic Monitoring and Analysis
Behavior of DNS' top talkers, a .com/.net view
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
From throw-away traffic to bots: detecting the rise of DGA-based malware
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Knowing your enemy: understanding and detecting malicious web advertising
Proceedings of the 2012 ACM conference on Computer and communications security
Proceedings of the 2012 ACM conference on Internet measurement conference
Measuring query latency of top level DNS servers
PAM'13 Proceedings of the 14th international conference on Passive and Active Measurement
Towards classification of DNS erroneous queries
Proceedings of the 9th Asian Internet Engineering Conference
| Hi-index | 0.00 |
The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e. , we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.