首页> 外文期刊>Networking, IEEE/ACM Transactions on >Reexamining DNS From a Global Recursive Resolver Perspective
【24h】

Reexamining DNS From a Global Recursive Resolver Perspective

机译:从全局递归解析器的角度重新检查DNS

获取原文
获取原文并翻译 | 示例

摘要

The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query–response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.
机译:域名系统(DNS)协议的性能和操作特性引起了研究和网络操作社区的极大兴趣。在本文中,我们提出了一个独特的数据集的测量结果,该数据集包含从全球600多个递归DNS解析器中收集的超过260亿个DNS查询-响应对。我们使用该数据集来重申已发表工作中的发现,并注意到一些重要差异,这可能归因于DNS流量的不断发展的性质以及我们的不同观点。例如,我们发现,尽管DNS流量的特征在整个网络中变化很大,但组织内的解析程序倾向于表现出相似的行为。我们进一步发现,发给根服务器的DNS查询超过50%不能返回成功的答案,并且在根服务器上查找失败的主要原因是带有无效顶级域(TLD)的格式错误的查询。此外,我们提出了一种使用DNS查询中的时间相关性检测恶意域组的新颖方法。我们的方法不需要全面的带标签的培训集,而这在实践中可能很难建立。相反,它使用已知的恶意域作为锚,并标识与锚域相关的一组先前未知的恶意域。实验结果说明了该方法的可行性,即我们的真实阳性率超过96%,并且每个恶意锚域都导致一个恶意软件域组平均拥有53个以前未知的恶意域。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有
  • 客服微信

  • 服务号