DNS performance and the effectiveness of caching
IEEE/ACM Transactions on Networking (TON)
Accurate Real-time Identification of IP Prefix Hijacking
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Monitoring the initial DNS behavior of malicious domains
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Tetherway: a framework for tethering camouflage
Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
Traffic Classification Using Compact Protocol Fingerprint
ICICEE '12 Proceedings of the 2012 International Conference on Industrial Control and Electronics Engineering
Hi-index | 0.00 |
This paper presents an alternative fingerprinting technique to identify DNS software running on caching resolvers in passively collected traffic traces. With this method, it is not required to send additional queries during the measurement, unlike existing techniques that rely on probing and may not be effective due to firewall filtering or refused responses. We first carefully examine DNS query patterns upon specific emulation and extract 15 heuristic rules from the experiment to identify typical software (i.e., BIND, Unbound and Windows Server). We next demonstrate the effectiveness of the rules using real backbone traffic traces with ground truth data. The results show 99% accuracy compared to the ground truth. Furthermore, 78% of unknown hosts in the ground truth can be identified.