Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

Ichise, Hikaru; Jin, Yong; Iida, Katsuyoshi

doi:10.1587/transcom.2017itp0009

Cited by 15 publications

(19 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors of [33], [34] reported that many types of malware communicate through TXT-type queries. Therefore, we considered TXT-type queries in which the domain names matched blacklist entries to be malicious.…”

Section: B Classification Accuracymentioning

confidence: 99%

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

et al. 2019

View full text Add to dashboard Cite

Some of the most serious security threats facing computer networks involve malware. To prevent this threat, administrators need to swiftly remove the infected machines from their networks. One common way to detect infected machines in a network is by monitoring communications based on blacklists. However, detection using this method has the following two problems: no blacklist is completely reliable, and blacklists do not provide sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. Therefore, simply matching communications with blacklist entries is insufficient, and administrators should pursue their detection causes by investigating the communications themselves. In this paper, we propose an approach for classifying malicious DNS queries detected through blacklists by their causes. This approach is motivated by the following observation: a malware communication is divided into several transactions, each of which generates queries related to the malware; thus, surrounding queries that occur before and after a malicious query detected through blacklists help in estimating the cause of the malicious query. Our cause-based classification drastically reduces the number of malicious queries to be investigated because the investigation scope is limited to only representative queries in the classification results. In experiments, we have confirmed that our approach could group 388 malicious queries into 3 clusters, each consisting of queries with a common cause. These results indicate that administrators can briefly pursue all the causes by investigating only representative queries of each cluster, and thereby swiftly address the problem of infected machines in the network.

show abstract

Section: B Classification Accuracymentioning

confidence: 99%

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

et al. 2019

View full text Add to dashboard Cite

show abstract

“…The authors of [14] reported that many types of malware communicate through TXT-type queries. Therefore, we considered TXT-type queries in which the domain names matched blacklist entries to be malicious.…”

Section: Discussionmentioning

confidence: 99%

Clustering Malicious DNS Queries for Blacklist-Based Detection

Satoh

Nakamura

Nobayashi

et al. 2019

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Some of the most serious threats to network security involve malware. One common way to detect malware-infected machines in a network is by monitoring communications based on blacklists. However, such detection is problematic because (1) no blacklist is completely reliable, and (2) blacklists do not provide the sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. In this paper, we propose a malicious DNS query clustering approach for blacklist-based detection. Unlike conventional classification, our causebased classification can efficiently analyze malware communications, allowing infected machines in the network to be addressed swiftly.

show abstract

“…For example, TXT records are used for various forms of email validation and spam prevention, including SPF, DKIM, and DMARC, but DNS TXT records can also be used as a way of finding contacts [4], or to monitor IoT devices [5]. Besides these legitimate use cases, malicious uses include adding large records to create more efficient DNS amplification attacks [6], or creating a command and control channel for malware [7], [8], [9], [10], [11], [12]. Most recently, spam campaigns have started to query DNS TXT records from JavaScript embedded in their HTML payload to dynamically redirect to target URLs [1].…”

Section: Background and Related Workmentioning

confidence: 99%

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records

Toorn

Rijswijk-Deij

Fiebig

et al. 2020

2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

The DNS TXT resource record is the one with the most flexibility for its contents, as it is a largely unstructured. Although it might be the ideal basis for storing any form of text-based information, it also poses a security threat, as TXT records can also be used for malicious and unintended practices. Yet, TXT records are often overlooked in security research. In this paper, we present the first structured study of the uses of TXT records, with a specific focus on security implications. We are able to classify over 99.54% of all TXT records in our dataset, finding security issues including accidentally published private keys and exploit delivery attempts. We also report on our lessons learned during our large-scale, systematic analysis of TXT records.

show abstract

Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

Cited by 15 publications

References 19 publications

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

A Cause-Based Classification Approach for Malicious DNS Queries Detected Through Blacklists

Clustering Malicious DNS Queries for Blacklist-Based Detection

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records

Contact Info

Product

Resources

About