Different types of malicious attacks have been increasing simultaneously and have become a serious issue for cybersecurity. Most attacks leverage domain URLs as an attack communications medium and compromise users into a victim of phishing or spam. We take advantage of machine learning methods to detect the maliciousness of a domain automatically using three features: DNS-based, lexical, and semantic features. The proposed approach exhibits high performance even with a small training dataset. The experimental results demonstrate that the proposed scheme achieves an approximate accuracy of 0.927 when using a random forest classifier.

Increased demand for DNS privacy has driven the creation of several encrypted DNS protocols, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). Recently, DoT and DoH have been deployed by some vendors like Google and Cloudflare. This paper addresses privacy leakage in these three encrypted DNS protocols (especially DoQ) with different DNS recursive resolvers (Google, NextDNS, and Bind) and DNS proxy (AdGuard). More particularly, we investigate encrypted DNS traffic to determine whether the adversary can infer the category of websites users visit for this purpose. Through analyzing packet traces of three encrypted DNS protocols, we show that the classification performance of the websites (i.e., user's privacy leakage) is very high in terms of identifying 42 categories of the websites both in public (Google and NextDNS) and local (Bind) resolvers. By comparing the case with cache and without cache at the local resolver, we confirm that the caching effect is negligible as regards identification. We also show that discriminative features are mainly related to the inter-arrival time of packets for DNS resolving. Indeed, we confirm that the F1 score decreases largely by removing these features. We further investigate two possible countermeasures that could affect the inter-arrival time analysis in the local resolver: AdBlocker and DNS prefetch. However, there is no significant improvement in results with these countermeasures. These findings highlight that information leakage is still possible even in encrypted DNS traffic regardless of underlying protocols (i.e., HTTPS, TLS, QUIC).

This work develops a system called CLAP that detects and classifies “potentially unwanted applications” (PUAs) such as adware or remote monitoring tools. Our approach leverages DNS queries made by apps. Using a large sample of Android apps from third-party marketplaces, we first reveal that DNS queries can provide useful information for detection and classification of PUAs. We then show that existing DNS blacklists are limited when performing these tasks. Finally, we demonstrate that the CLAP system performs with high accuracy.

Some of the most serious threats to network security involve malware. One common way to detect malware-infected machines in a network is by monitoring communications based on blacklists. However, such detection is problematic because (1) no blacklist is completely reliable, and (2) blacklists do not provide the sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. In this paper, we propose a malicious DNS query clustering approach for blacklist-based detection. Unlike conventional classification, our cause-based classification can efficiently analyze malware communications, allowing infected machines in the network to be addressed swiftly.

Recent discussions on increasing the efficiency of the Internet's infrastructure have centered on removing the shared Domain Name System (DNS) resolver and using a local resolver instead. In terms of the cache mechanism, this would involve removing the shared cache from the Internet. Although the removal of unnecessary parts tends to simplify the overall system, such a large configuration change would need to be analyzed before their actual removal. This paper presents our analysis on the effect of a shared DNS resolver based on campus network traffic. We found that (1) this removal can be expected to amplify the DNS traffic to the Internet by about 3.9 times, (2) the amplification ratio of the root DNS is much higher (about 6.3 times), and (3) removing all caching systems from the Internet is likely to amplify the DNS traffic by approximately 16.0 times. Thus, the removal of the shared DNS resolver is not a good idea. Our data analysis also revealed that (4) many clients without local caches generate queries repeatedly at short intervals and (5) deploying local caches is an attractive technique for easing DNS overhead because the amount of traffic from such clients is not small.

Security facilities such as firewall system and IDS/IPS (Intrusion Detection System/Intrusion Prevention System) have become fundamental solutions against cyber threats. With the rapid change of cyber attack tactics, detail investigations like DPI (Deep Packet Inspection) and SPI (Stateful Packet Inspection) for incoming traffic become necessary while they also cause the decrease of network throughput. In this paper, we propose an SDN (Software Defined Network) - based proactive firewall system in collaboration with domain name resolution to solve the problem. The system consists of two firewall units (lightweight and normal) and a proper one will be assigned for checking the client of incoming traffic by the collaboration of SDN controller and internal authoritative DNS server. The internal authoritative DNS server obtains the client IP address using EDNS (Extension Mechanisms for DNS) Client Subnet Option from the external DNS full resolver during the name resolution stage and notifies the client IP address to the SDN controller. By checking the client IP address on the whitelist and blacklist, the SDN controller assigns a proper firewall unit for investigating the incoming traffic from the client. Consequently, the incoming traffic from a trusted client will be directed to the lightweight firewall unit while from others to the normal firewall unit. As a result, the incoming traffic can be distributed properly to the firewall units and the congestion can be mitigated. We implemented a prototype system and evaluated its performance in a local experimental network. Based on the results, we confirmed that the prototype system presented expected features and acceptable performance when there was no flooding attack. We also confirmed that the prototype system showed better performance than conventional firewall system under ICMP flooding attack.

There have been several recent reports that botnet communication between bot-infected computers and Command and Control servers (C&C servers) using the Domain Name System (DNS) protocol has been used by many cyber attackers. In particular, botnet communication based on the DNS TXT record type has been observed in several kinds of botnet attack. Unfortunately, the DNS TXT record type has many forms of legitimate usage, such as hostname description. In this paper, in order to detect and block out botnet communication based on the DNS TXT record type, we first differentiate between legitimate and suspicious usages of the DNS TXT record type and then analyze real DNS TXT query data obtained from our campus network. We divide DNS queries sent out from an organization into three types — via-resolver, and indirect and direct outbound queries — and analyze the DNS TXT query data separately. We use a 99-day dataset for via-resolver DNS TXT queries and an 87-day dataset for indirect and direct outbound DNS TXT queries. The results of our analysis show that about 30%, 8% and 19% of DNS TXT queries in via-resolver, indirect and direct outbound queries, respectively, could be identified as suspicious DNS traffic. Based on our analysis, we also consider a comprehensive botnet detection system and have designed a prototype system.

The widespread usage of computers and communication networks affects people's social activities effectively in terms of intercommunication and the communication generally begins with domain name resolutions which are mainly provided by DNS (Domain Name System). Meanwhile, continuous cyber threats to DNS such as cache poisoning also affects computer networks critically. DNSSEC (DNS Security Extensions) is designed to provide secure name resolution between authoritative zone servers and DNS full resolvers. However high workload of DNSSEC validation on DNS full resolvers and complex key management on authoritative zone servers hinder its wide deployment. Moreover, querying clients use the name resolution results validated on DNS full resolvers, therefore they only get errors when DNSSEC validation fails or times out. In addition, name resolution failure can occur on querying clients due to technical and operational issues of DNSSEC. In this paper, we propose a client based DNSSEC validation system with adaptive alert mechanism considering minimal querying client timeout. The proposed system notifies the user of alert messages with answers even when the DNSSEC validation on the client fails or timeout so that the user can determine how to handle the received answers. We also implemented a prototype system and evaluated the features on a local experimental network as well as in the Internet. The contribution of this article is that the proposed system not only can mitigate the workload of DNS full resolvers but also can cover querying clients with secure name resolution, and by solving the existing operation issues in DNSSEC, it also can promote DNSSEC deployment.

A new Internet Draft on benchmarking methodologies for IPv6 transition technologies including DNS64 was adopted by the Benchmarking Working Group of IETF. The aim of our effort is to design and implement a test program that complies with the draft and thus to create the world's first standard DNS64 benchmarking tool. In this paper, we disclose our design considerations and high-level implementation decisions. The precision of our special timing method is tested and found to be excellent. Due to the prudent design, the performance of our test program is also excellent: it can send more than 200,000 AAAA record requests using a single core of a desktop computer with a 3.2GHz Intel Core i5-4570 CPU. Its operation comprises all the functionalities required by the draft including checking the timeliness and validity of the answers of the tested DNS64 server. Our DNS64 benchmarking program, dns64perf++, is distributed as free software under GNU GPL v2 license for the benefit of the research, benchmarking and networking communities.

We introduce the notion of hierarchical aggregate entropy and apply it to identify DNS client hosts that wastefully consume server resources. Entropy of DNS query traffic can capture client query patterns, e.g., the concentration of queries to a specific domain or dispersion to a large domain name space. However, entropy alone cannot capture the spatial structure of the traffic. That is, even if queries disperse to various domains but concentrate in the same upper domain, entropy among domain names provides no information on the upper domain structure, which is an important characteristic of DNS traffic. On the other hand, entropies of aggregated upper domains do not have detailed information on individual domains. To overcome this difficulty, we introduce the notion of hierarchical aggregate entropy, where queries are recursively aggregated into upper domains along the DNS domain tree, and their entropies are calculated. Thus, this method enables us to analyze the spatial characteristics of DNS traffic in a multi-resolution manner. We calculate the hierarchical aggregate entropies for actual DNS heavy-hitters and observed that the entropies of normal heavy-hitters were concentrated in a specific range. On the basis of this observation, we adopt the support vector machine method to identify the range and to classify DNS heavy-hitters as anomalous or normal. It is shown that with hierarchical aggregate entropy can halve the classification error compared to non-hierarchical entropies.

In a society preoccupied with gradual erosion of electronic privacy, loss of privacy in the current Domain Name System is an important issue worth considering. In this paper, we first review the DNS and some security & privacy threats to make average users begin to concern about the significance of privacy preservation in DNS protocols. Then, by an careful survey of four noise query generation based existing privacy protection approaches, we analyze some benefits and limitations of these proposals in terms of both related performance evaluation results and theoretic proofs. Finally, we point out some problems that still exist for research community's continuing efforts in the future.

Domain Name System (DNS) is a major target for the network security attacks due to the weak authentication. A security extension DNSSEC has been proposed to introduce the public-key authentication, but it is still on the deployment phase. DNSSEC assumes IP fragmentation allowance for exchange of its messages over UDP large payloads. IP fragments are often blocked on network packet filters for administrative reasons, and the blockage may prevent fast exchange of DNSSEC messages. In this paper, we propose a scheme to detect the UDP large-payload transfer capability between two DNSSEC hosts. The proposed detection scheme does not require new protocol elements of DNS and DNSSEC, so it is applicable by solely modifying the application software and configuration. The scheme allows faster capability detection to probe the end-to-end communication capability between two DNS hosts by transferring a large UDP DNS message. The DNS software can choose the maximum transmission unit (MTU) on the application level using the probed detection results. Implementation test results show that the proposed scheme shortens the detection and transition time on fragment-blocked transports.

Authority zones in the Domain Name System must be declared to have one or more authoritative name servers, usually consisting of one primary name server and several secondary name servers. These name servers are expected to synchronize zone data using DNS's zone transfer protocols, but the configuration of these synchronization relationships depends upon out of band information and manual processes. This paper describes a way to create name service federations such that a varying set of zones offered by a primary name server can be automatically configured for synchronization by secondary name servers. A sample implementation based on ISC BIND and Perl is described.

The DNSSECbis data model has key introduction follow the delegation chain, thus requiring a zone's parent to become secure before a zone itself can be secured. Ultimately this leads to non-deployability since the root zone will probably not be secured any time soon. We describe an early deployment aid for DNSSECbis whereby key introduction can be done via cooperating third parties.

Domain Name System--DNS is a key service of the Internet. Without DNS, we cannot use any useful Internet applications. At the beginning of the Internet, email or file transfer applications were provided. DNS provides key service to them--resource discovery. Nowadays, there are broad range of software making use of DNS as basis of their application. In this paper, we explain the evolution of DNS, how DNS works and recent activities including operational issues. Then, we describe EPC network which make use of RFID to bridge real world and the Internet, and how DNS helps to organize EPC network.

An approach is proposed for constructing a dependable server cluster composed only of server nodes with all nodes running the same algorithm. The cluster propagates an IP multicast address as the server address, and clients multicast requests to the cluster. A local proxy running on each client machine enables conventional client software designed for unicasting to communicate with the cluster without having to be modified. Evaluation of a prototype system providing domain name service showed that a cluster using this technique has high dependability with acceptable performance degradation.

Many services on the Internet are provided by multiple identical servers in order to improve performance and robustness. The number, the location and the distribution of servers affect the performance and reliability of a service. The server placement is, however, often determined based on the empirical knowledge of the administrators. This paper investigates issues of the server placement in terms of the service performance and the server load. We identify that a server selection mechanism plays an important role in server placement, and thus, evaluate different server selection algorithms. The result shows that it is essential to the robustness of a service to employ a mechanism which distributes service requests to the servers according to the measured response time of each server. As a case study, we evaluate the server selection mechanisms employed by different DNS (Domain Name System) implementations. Then, we show the effects of the different server selection algorithms using root-server measurements taken at different locations around the world.

The authors have been in charge of the operation of one of the root DNS servers for more than three years. In this paper, the overview of our system to provide high availability is introduced. In the following sections, a traffic analysis system to analyze the characteristics of the DNS queries and the brief summary which may help future DNS system deployment is described.

This paper proposes a new method of realizing internationlized domain names (iDN) and has been discussed at IETF (Internet Engineering Task Force). iDN allows a user to specify multi-lingual domain names, such as Japanese, Chinese, and Korean. iDN is a proper extension of the current domain name system. We have already developed an iDN implementation, named Global Domain Name System (GDNS). GDNS extends the usage of alias records, and gives reverse mapping information for multi-lingual domain names. This paper presents yet another method which introduces new Resource Record (RR) types to cover multi-lingual domain names. We have two new RR (Resource Record) types. The first new record is INAME and the other is IPTR. These two RR types can cover multi-lingual domain names. This paper also discusses the efficiency of DNS. Since DNS is a distributed database system, the performance depends on the method of retrieving data. This paper suggests a new retrieving method that can improve the performance of DNS remarkably.