Jian Qu,Xiaobo Ma,Wenmao Liu

DOI: https://doi.org/10.1016/j.knosys.2023.110279

IF: 8.139

2023-01-01

Knowledge-Based Systems

Abstract:The Domain Name System (DNS) is indispensable for almost all Internet services. It has been extensively studied for applications such as anomaly detection. However, the fundamental question of whether a DNS query from a querent (i.e., an IP address) is triggered by humans or issued by software entities remains unclear. Addressing this question enables us to profile the querent’s behavior from a human-software perspective, facilitating the understanding of “who is DNS serving for?”. In this study, we systematically performed querent-centric DNS modeling. Through in-depth measurements of three real-world DNS datasets of diverse origins, we developed an entropy-based method to distinguish between human and non-human queries and proposed a semi-supervised solution towards a community-level view for detecting and estimating software entities in a network. The solution can not only detect unknown software entities but is also NAT-compatible because it can detect and estimate software entities of multiple hosts NATed behind a single querent. An extensive evaluation demonstrates that our approach provides a new functionality for automatically disclosing the distinction between human and non-human domain names as well as a priori-independent and NAT-compatible functionality of discovering nearly 50% of the software entities and estimating their population using DNS queries.

Jianfeng Li,Xiaobo Ma,Li Guodong,Xiapu Luo,Junjie Zhang,Wei Li,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom.2018.8486210

2018-01-01

Abstract:Domain Name System (DNS) is one of the pillars of today's Internet. Due to its appealing properties such as low data volume, wide-ranging applications and encryption free, DNS traffic has been extensively utilized for network monitoring. Most existing studies of DNS traffic, however, focus on domain name reputation. Little attention has been paid to understanding and profiling what people are doing from DNS traffic, a fundamental problem in the areas including Internet demographics and network behavior analysis. Consequently, simple questions like “How to determine whether a DNS query for www.google.com means searching or any other behaviors?” cannot be answered by existing studies. In this paper, we take the first step to identify user activities from raw DNS queries. We advance a multiscale hierarchical framework to tackle two practical challenges, i.e., behavior ambiguity and behavior polymorphism. Under this framework, a series of novel methods, such as pattern upward mapping and multi-scale random forest classifier, are proposed to characterize and identify user activities of interest. Evaluation using both synthetic and real-world DNS traces demonstrates the effectiveness of our method.

Xiaobo Ma,Junjie Zhang,Zhenhua Li,Jianfeng Li,Jing Tao,Xiaohong Guan,John C. S. Lui,Don Towsley

DOI: https://doi.org/10.1016/j.jnca.2014.09.016

IF: 7.574

2015-01-01

Journal of Network and Computer Applications

Abstract:As the hidden backbone of today׳s Internet, the Domain Name System (DNS) provides name resolution service for almost every networked application. To exploit the rich DNS query information for traffic engineering or user behavior analysis, both passive capturing and active probing techniques have been proposed in recent years. Despite its full visibility of DNS behaviors, the passive capturing technique suffers from prohibitive management cost and results in tremendous privacy concerns towards its large-scale and collaborative deployment. Comparatively, the active probing technique overcomes these limitations, providing broad-view and privacy-preserving DNS query analysis at the cost of constrained visibility of fine-grained DNS behavior. This paper aims to accurately estimate DNS query characteristics based on DNS cache activities, which can be acquired via active probing on a large scale at negligible management cost and minimized privacy concerns. Specifically, we have made three contributions: (1) we propose a novel solution, which integrates the renewal theory-based DNS caching formulation and the hyper-exponential distribution model. The solution offers great flexibility to model various domains; (2) we perform a large-scale real-world DNS trace measurement, and demonstrate that our solution significantly improves the estimation accuracy; (3) we apply our solution to estimate the malware-infected host population in remote management networks. The experimental results have demonstrated that our solution can achieve high estimation accuracy and outperforms the existing method.

Xiaobo Ma,Jianfeng Li,Jing Tao,Xiaohong Guan

DOI: https://doi.org/10.1109/glocom.2012.6503218

2012-01-01

Abstract:Domain names play an increasingly important role for the botnet activities. Traditionally, DNS traces from several local DNS servers are used passively to measure the DNS query behavior. However, since botnets are a wide-scale threat and usually reside in geographically dispersed networks, the vantage point of several local DNS servers is sometimes too small to help us understand the DNS query behavior (e.g., whether queried or not, average query rate) of botnets. In this paper, we actively measure the DNS query behavior of botnets in geographically dispersed networks via the DNS cache probing technique. We first analytically characterize how multiple domain names are queried by botnets in different networks under certain circumstances. Then, we actively measure real botnet samples in the wild to gain insight into how multiple domain names are queried by botnets in 480 geographically dispersed networks globally, and show that our analytical characterization well describes the DNS query behavior of the botnet samples. The active measurement technique can help to acquire extensive DNS query information in different networks and thus potentially facilitate various DNS-related research and applications.

Hongyu Gao,Vinod Yegneswaran,Jian Jiang,Yan Chen,Phillip Porras,Shalini Ghosh,Haixin Duan

DOI: https://doi.org/10.1109/tnet.2014.2358637

2016-01-01

IEEE/ACM Transactions on Networking

Abstract:The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i. e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

Deliang Chang,Joann Qiongna Chen,Zhou Li,Xing Li

DOI: https://doi.org/10.1109/eurosp53844.2022.00020

2022-01-01

Abstract:Domain name system (DNS) is the address book of the Internet and domain names are queried before almost every network activity. Since the entities like recursive resolvers can monitor users' DNS queries, privacy concerns such as user tracking arise. Though a number of prior works have looked into this issue, they all focus on the closed-world setting, which means that victim users must be known to the adversary. We argue that it does not reflect the adversary's true capabilities. Moreover, there lacks an effective approach to defend against DNS-based user tracking. In this work, we revisit these issues by investigating the attack surface in both open-world and closed-world settings and studying how to protect users. First, we introduce a new tracking mechanism DSCorr which incorporates domain-based word embedding to capture the fine-grained distance between domain names, and automatic threshold generation for fine-tuning the attack outcome. The evaluation result on a real-world DNS dataset shows DSCorr is able to outperform the existing works by a large margin especially in the open-world setting. On the defense side, we develop a system called LDPResolve, which incorporates a recently proposed differential privacy notion ULDP (Utility-optimized Local Differential Privacy) and a new technique named parallel domain resolving, to provide privacy guarantees without damaging the utility of legitimate applications. The evaluation result on the same dataset shows the DNS-based user tracking can be effectively curbed, e.g., tracking accuracy degraded from 93% to 10.1%.

Baojun Liu,Chaoyi Lu,Haixin Duan,Ying Liu,Zhou Li,Shuang Hao,Min Yang

DOI: https://doi.org/10.1145/3340301.3341122

2018-01-01

Abstract:DNS is a critical service for almost all Internet applications. DNS queries from end users are handled by recursive DNS servers for scalability. For convenience, Internet Service Providers (ISPs) assign recursive servers for their clients automatically when the clients choose the default network settings. On the other hand, users should also have the flexibility to use their preferred recursive servers, like public DNS servers. Since almost all DNS queries are sent in plain-text, it's possible for on-path devices to intercept DNS queries sent to public resolvers, by spoofing the IP addresses of user-specified DNS servers and surreptitiously responding using alternative resolvers instead. The trust relationship between users and public DNS are thus broken by the hidden interception of the DNS resolution path (which we term as DNS interception). The hidden DNS interception can pose users to privacy and security threats, and we aim to shed light on this behavior in this study. It's challenging to observe DNS interception because we need vantages points distributed across the globe. We solved this problem by recruiting clients from a proxy network and popular security software with a large number of real-world users. In this paper, we performed a large-scale analysis on on-path DNS interception and investigate its scope and characteristics. In practice, we designed a novel approach to detecting DNS interception and deployed a global measurement platform. Considering different transport protocols and various recursive servers, we have gained multi-faceted insights. In particular, using traffic from 148,478 residential and cellular IP addresses, we find that 259 of the 3,047 ASes (8.5%) that we inspect exhibit DNS interception behavior, including large providers, such as China Mobile. Particularly, 27.9% DNS/UDP queries from China to Google Public DNS are intercepted. Moreover, we find that alternative resolvers used by interceptors may use outdated software (which should be deprecated before 2009) and lack security-related functionality, such as handling DNSSEC requests. Our work highlights the issues around on-path DNS interception and provides new insights into its countermeasures. Our research provides a first large-scale study on DNS end-to-end violation. Our work delivers evidence of DNS interception and serves as strong motivation of deploying encrypted DNS (e.g., DNS-over-TLS and DNS-over-HTTPS). After being published, our findings are reported by several well-known media, such as ACM Technews, The Register, and Hackread. This paper is based on: Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path. In Proceedings of USENIX Security 2018. USENIX Security Symposium, Baltimore, USA, 16 pages. This work was supported in part by the National Natural Science Foundation of China (U1836213, U1636204) and the BNRist Network and Software Security Research Program (Grant No. BNR2019TD01004).

Jianfeng Lit,Zheng Lin,Xiaobo Mat,Jianhao Lit,Jian Qut,Xiapu Lu,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom52122.2024.10621277

2024-01-01

Abstract:The domain name system (DNS) is indispensable to nearly every Internet service. It has been extensively utilized for network activity characterization in passive and active approaches. Compared to the passive approach, active DNS cache probing is privacy-preserving and low-cost, enabling worldwide characterization of remote network activities in different networks. Unfortunately, existing probing-based methods are too coarse-grained to characterize the time-varying features of network activities, substantially limiting their applications in time-sensitive tasks. In this paper, we advance DNSScope, a fine-grained DNS cache probing framework by tackling three challenges: sample sparsity, observational distortion, and cache entanglement. DNSScope synthesizes statistical learning and self-supervised transfer learning to achieve time-varying characterization. Extensive evaluations demonstrate that it can accurately estimate the time-varying DNS query arrival rates on recursive DNS resolvers. Its average mean absolute error is 0.124, as low as one-sixth that of the baseline methods.

Qingnan Lai,Changling Zhou,Hao Ma,Zhen Wu,Shiyang Chen

DOI: https://doi.org/10.1016/j.neucom.2014.09.099

IF: 6

2015-01-01

Neurocomputing

Abstract:The Domain Name System (DNS) is a critical Internet service, which translates easily memorized domain names to numerical IP addresses for locating computer resources and services. In this paper, we try to explore the behaviors of DNS lookup by mining DNS logs from three primary DNS servers in a large university campus network in China. Our dataset is made up of two parts, namely DNS query logs and messages received or send by DNS servers. Firstly, through analyzing these DNS query logs, we are able to understand the overall trend of users’ surfing. For dealing with huge DNS dataset, we introduce an algorithm we call DNSReduce, which can be used to dig out top 10 client IP addresses and top 10 destination domain names efficiently. Moreover, we make comparative analysis of lookup behavior between wired and wireless users. Secondly, with messages received or send by DNS servers we can find these DNS servers׳behaviors, i.e., TTLs, equivalent answers and are able to accurately identify domain names with dynamic IP addresses. We provide different and specific visualization techniques for presenting these analysis results and show these techniques are very useful for understanding user behaviors, analyzing security events and characterizing overall tendency in campus network management.

Wenfeng Liu,Yu Zhang,Yongyue Li,Binxing Fang

DOI: https://doi.org/10.1109/icc.2019.8761698

2019-01-01

Abstract:The DNS system is gradually becoming the infrastructure of many services and applications. The availability and security of the domain name resolution process must be guaranteed. We propose a graph-based formal model and a general analysis method for quantifying the name resolution process. We define metrics to quantify the availability and security of resolution process for a domain name. We conducted four measurements of the top 1 million popular domains within a one-year period. Our survey shows that for more than 50% of domains, if the most critical authoritative server of the domain name becomes unavailable or compromised, the probability of resolution failure or insecure answer is over 50%.

Minzhao Lyu,Hassan Habibi Gharakheili,Vijay Sivaraman

DOI: https://doi.org/10.1145/3547331

2022-07-08

Abstract:The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.

Cryptography and Security,Networking and Internet Architecture

Yao Wang,Ming-zeng Hu,Bin Li,Bo-ru Yan

DOI: https://doi.org/10.1007/11942634_37

2006-01-01

Abstract:This paper seeks to quantitatively understand the nature of the current threat towards the common name servers. A new tracking technique based on statistical model is proposed to locate the anomalous name servers by analyzing the real-world DNS traffic. After summarizing the attacks towards DNS, the detection method based on associative feature analysis is presented. Experiments are conducted which highlighting both the payload anomaly and the data flow anomaly, and the experimental results reveal the efficiency of our method in detecting the anomalous behaviors of name servers.

Ruming Tang,Cheng Huang,Yanti Zhou,Haoxian Wu,Xianglin Lu,Yongqian Sun,Qi Li,Jinjin Li,Weiyao Huang,Siyuan Sun,Dan Pei

DOI: https://doi.org/10.1007/978-3-030-63095-9_1

2020-01-01

Abstract:DNS is a key protocol of the Internet infrastructure, which ensures network connectivity. However, DNS suffers from various threats. In particular, DNS covert communication is one serious threat in enterprise networks, by which attackers establish stealthy communications between internal hosts and remote servers. In this paper, we propose D \({^2}\)C\(^2\) (Detection of DNS Covert Communication), a practical and flexible machine learning-based framework to detect DNS covert communications. D \({^2}\)C\(^2\) is an end-to-end framework contains modular detection models including supervised and unsupervised ones, which detect multiple types of threats efficiently and flexibly. We have deployed D \({^2}\)C\(^2\) in a large commercial bank with 100 millions of DNS queries per day. During the deployment, D \({^2}\)C\(^2\) detected over 4k anomalous DNS communications per day, achieving high precision over 0.97 on average. It uncovers a significant number of unnoticed security issues including seven compromised hosts in the enterprise network.

Yong Wang -,Lin Zuo,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Understanding users' online behavior and interests has gained significant attention in recent years. This is mainly due to the availability of large-scale datasets from popular online social networking websites. In this paper, we divert from this 'traditional' avenue and apply a network-based approach in an attempt to reveal users' online behavior. In particular, we use a three-month long DNS-level trace generated by more than 45,000 users of a university access network. To analyze this trace, we design and implement a system capable of automatically tagging user access interests based on the corresponding domain names. We then provide, to the best of our knowledge, the first of its kind insights at such a large scale about the temporal and content-level user access properties common for large groups of users. Copyright © 2011 Binary Information Press.

Chao Li,Yanan Cheng,Zhaoxin Zhang,Zundong Zhang

DOI: https://doi.org/10.1016/j.comnet.2024.110669

IF: 5.493

2024-01-01

Computer Networks

Abstract:The Domain Name System (DNS), as a critical component of Internet infrastructure, is crucial for maintaining network stability and security. However, vulnerabilities in the DNS resolution process make it susceptible to various network attacks. Current DNS resolution anomaly detection methods are challenged by the scarcity of diverse anomalous sample data and the difficulty in accurately capturing such anomalies. To address those challenges, we firstly introduce a proactive anomaly detection method based on bidirectional national censorship behavior, abbreviated as CB-BiDAM. This method can collect diverse anomalous resolution data from multiple network spaces, covering common types of resolution anomalies and effectively solving the problem of sample scarcity. Further, we extract multidimensional features from four key aspects: response content, DNS attributes, resolution paths, and timing, to gain a deeper understanding of the relationship between multifaceted information in the DNS resolution process and anomalous events. Finally, based on these multidimensional features, we construct a DNS resolution anomaly detection model named DRADC, using a stacked ensemble approach. Through a series of comparative experiments, the DRADC model significantly outperforms existing machine learning algorithms in key metrics such as accuracy (97.48%), recall (96.87%), and F1 score (97.09%). Feature ablation experiments further demonstrates that incorporating multidimensional features significantly improves model performance, with a 3% increase in accuracy and a 3.5% increase in precision compared to models relying solely on response content features. By providing an accurate detection model for DNS resolution anomalies, this study aids network administrators in more effectively identifying and countering network attacks. Additionally, our research also contributes to the detection and response to domain censorship mechanisms, which is crucial for maintaining the openness and free flow of the Internet.

Yue Wang,Anmin Zhou,Shan Liao,Rongfeng Zheng,Rong Hu,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108322

IF: 5.493

2021-10-01

Computer Networks

Abstract:<p>Domain Name System (DNS) tunnels, established between the controlled host and master server disguised as the authoritative domain name server, can be used as a secret data communication channel for malicious activities. Owing to the ready evasion of the DNS traffic to bypass the network security mechanism, DNS tunnelling can cause severe damage. Thus, an in-depth and comprehensive understanding of the various detection technologies is of considerable importance when facing this type of threat. However, most of the existing reviews focus on a single aspect of the DNS tunnel detection technologies, such as methods based on machine learning, traffic, and payload analysis. In addition, few studies have conducted comprehensive investigation that includes a sequentially integrated range of literature in this researchfield, or have analysed the latest literature on DNS tunnels. This paper reviews these detection technologies from a novel perspective of rule-based and model-based methods with descriptions and analyses of the DNS-based tools and their corresponding features. To the best of our knowledge, this is the first study to comprehensively discuss and analyse DNS tunnel detection in a novel and specific classification fashion from various aspects in detail, covering almost all the detection methods developed from 2006 to 2020. Furthermore, a comparative analysis of detection methods and several suggestions for future research directions are presented.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Futai Zou,Siyu Zhang,Li Pang,Linsen Li,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/dsc.2016.96

2016-01-01

Abstract:Domain Name System (DNS) is one of the most crucial components of the Internet. However, due to the vulnerability of DNS, its security has been continuously challenged in recent years. In order to thoroughly understand the root cause of the security risks in the DNS, researches in DNS security are surveyed, and vulnerabilities in DNS and corresponding countermeasures are summarized. First, based on the protocol design and implementation of DNS, weaknesses in DNS fall into 5 categories: cache poisoning, denial of service, software vulnerabilities, information leakage and unauthorized data manipulation. Then, fundamental properties and defense approaches for the 5 categories are analyzed. Next, to improve the Internet name service, new secure DNS architectures are analyzed and compared. And finally, future aspects of research in DNS security are discussed.

Yury Zhauniarovich,Issa Khalil,Ting Yu,Marc Dacier

DOI: https://doi.org/10.1145/3191329

2018-05-22

Abstract:Malicious domains are one of the major resources required for adversaries to run attacks over the Internet. Due to the important role of the Domain Name System (DNS), extensive research has been conducted to identify malicious domains based on their unique behavior reflected in different phases of the life cycle of DNS queries and responses. Existing approaches differ significantly in terms of intuitions, data analysis methods as well as evaluation methodologies. This warrants a thorough systematization of the approaches and a careful review of the advantages and limitations of every group. In this paper, we perform such an analysis. In order to achieve this goal, we present the necessary background knowledge on DNS and malicious activities leveraging DNS. We describe a general framework of malicious domain detection techniques using DNS data. Applying this framework, we categorize existing approaches using several orthogonal viewpoints, namely (1) sources of DNS data and their enrichment, (2) data analysis methods, and (3) evaluation strategies and metrics. In each aspect, we discuss the important challenges that the research community should address in order to fully realize the power of DNS data analysis to fight against attacks leveraging malicious domains.

Cryptography and Security

Xiaoqing Sun,Mingkai Tong,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.1909.01590

2019-09-04

Cryptography and Security

Abstract:Domain name system (DNS) is a crucial part of the Internet, yet has been widely exploited by cyber attackers. Apart from making static methods like blacklists or sinkholes infeasible, some weasel attackers can even bypass detection systems with machine learning based classifiers. As a solution to this problem, we propose a robust domain detection system named HinDom. Instead of relying on manually selected features, HinDom models the DNS scene as a Heterogeneous Information Network (HIN) consist of clients, domains, IP addresses and their diverse relationships. Besides, the metapath-based transductive classification method enables HinDom to detect malicious domains with only a small fraction of labeled samples. So far as we know, this is the first work to apply HIN in DNS analysis. We build a prototype of HinDom and evaluate it in CERNET2 and TUNET. The results reveal that HinDom is accurate, robust and can identify previously unknown malicious domains.

Xianran Liao,Jiacen Xu,Qifan Zhang,Zhou Li

DOI: https://doi.org/10.1109/access.2022.3215753

IF: 3.9

2022-01-01

IEEE Access

Abstract:Domain Name System (DNS) is a fundamental component for today’s Internet communications, enabling the domain-to-IP translations for billions of users and numerous applications. Yet, the operational failures of DNS are not rare and sometimes lead to severe consequences like Internet outages. To gain a better understanding of DNS operational failures, previous works examined large-scale DNS logs (DNS queries and responses between Internet users and DNS servers), but the DNS logs cannot offer a comprehensive view of the failures (e.g., errors at domain registrars) and explain the failures at a finer grain. In this paper, we try to assess DNS operational failures from another data source, the supporting forums built by DNS service providers. Specifically, we mined 4 DNS forums and crawled more than 10000 posts and 50000 replies. With a new analysis framework developed by us, we are able to tag the forum posts by different categories (e.g., general concerns, issue locations, and record types), and gain new insights regarding how and why users encounter DNS failures. In the end, we offer suggestions to DNS service providers and users to mitigate DNS operational issues.

computer science, information systems,telecommunications,engineering, electrical & electronic