Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications

Ichise, Hikaru; Jin, Yong; Iida, Katsuyoshi

doi:10.1109/pacrim.2015.7334837

Cited by 13 publications

(6 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…3.3, indirect and direct outbound DNS TXT queries are used for botnet communication in various botnets. To detect botnet communication using indirect and direct outbound DNS TXT queries, it is important to distinguish between legitimate and suspicious usages of the † The results described in [1], [2] are different from this paper. This is because the experiment in [1], [2] was performed at Apr.…”

Section: Indirect/direct Outbound Dns Txt Query Analysismentioning

confidence: 83%

Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

Ichise

Jin

Iida

2018

IEICE Trans. Commun.

Self Cite

View full text Add to dashboard Cite

There have been several recent reports that botnet communication between bot-infected computers and Command and Control servers (C&C servers) using the Domain Name System (DNS) protocol has been used by many cyber attackers. In particular, botnet communication based on the DNS TXT record type has been observed in several kinds of botnet attack. Unfortunately, the DNS TXT record type has many forms of legitimate usage, such as hostname description. In this paper, in order to detect and block out botnet communication based on the DNS TXT record type, we first differentiate between legitimate and suspicious usages of the DNS TXT record type and then analyze real DNS TXT query data obtained from our campus network. We divide DNS queries sent out from an organization into three types-via-resolver, and indirect and direct outbound queriesand analyze the DNS TXT query data separately. We use a 99-day dataset for via-resolver DNS TXT queries and an 87-day dataset for indirect and direct outbound DNS TXT queries. The results of our analysis show that about 30%, 8% and 19% of DNS TXT queries in via-resolver, indirect and direct outbound queries, respectively, could be identified as suspicious DNS traffic. Based on our analysis, we also consider a comprehensive botnet detection system and have designed a prototype system.

show abstract

Section: Indirect/direct Outbound Dns Txt Query Analysismentioning

confidence: 83%

Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

Ichise

Jin

Iida

2018

IEICE Trans. Commun.

Self Cite

View full text Add to dashboard Cite

show abstract

“…The C&C Tracer [160] works by using C&C active behaviour feature extracting (CAFE), domain name status querying (DNSQ) and C&C status tracing analyser (CSTA) along with allow lists from multiple external sources such as the Honeypot project and Shadowserver Foundation. An analysis done by Ichise et al [156] to test the feasibility of botnet detection through domain name system (DNS) records. The analysis shows that in the 5.5 million DNS TXT record queries obtained from their campus network, around 2293 queries where classified as "unconfirmed".…”

Section: Domain Name System (Dns) Based Detectionmentioning

confidence: 99%

A Survey on Botnets: Incentives, Evolution, Detection and Current Trends

Stege

El-Habr

et al. 2021

Future Internet

View full text Add to dashboard Cite

Botnets, groups of malware-infected hosts controlled by malicious actors, have gained prominence in an era of pervasive computing and the Internet of Things. Botnets have shown a capacity to perform substantial damage through distributed denial-of-service attacks, information theft, spam and malware propagation. In this paper, a systematic literature review on botnets is presented to the reader in order to obtain an understanding of the incentives, evolution, detection, mitigation and current trends within the field of botnet research in pervasive computing. The literature review focuses particularly on the topic of botnet detection and the proposed solutions to mitigate the threat of botnets in system security. Botnet detection and mitigation mechanisms are categorised and briefly described to allow for an easy overview of the many proposed solutions. The paper also summarises the findings to identify current challenges and trends within research to help identify improvements for further botnet mitigation research.

show abstract

“…As being well-known, the DNS protocol is mainly used for domain name resolution which translates the hostnames to IP addresses in the Internet and vice versus. However, with the increase of Internet services, some minor DNS resource records like TXT records [6], [7] also become widely used nowadays. According to [6], [7] on the use of DNS TXT resource records, some types of bot programs have been identified as using DNS TXT resource records for botnet communication.…”

Section: Introductionmentioning

confidence: 99%

“…However, with the increase of Internet services, some minor DNS resource records like TXT records [6], [7] also become widely used nowadays. According to [6], [7] on the use of DNS TXT resource records, some types of bot programs have been identified as using DNS TXT resource records for botnet communication. In [8], [9], the authors proposed a machine-learning-based detection method of botnet communications using DNS over HTTPS protocol, which is a privacy enhancement of DNS.…”

Section: Introductionmentioning

confidence: 99%

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

2022

Proceedings of 2022 the 12th International Workshop on Computer Science and Engineering

View full text Add to dashboard Cite

Bot-infected computers sending direct outbound DNS queries without obtaining the information of authoritative DNS servers from the DNS full resolvers set up in the internal network have become a critical security issue nowadays. In DNS protocol, the domain name resolution process obtains the information of necessary authoritative DNS name servers (NS records) at the beginning and then achieves the answers of the original DNS queries which is accomplished via the DNS full-service resolvers. However, some types of bot programs violate the DNS protocol process and send the direct outbound DNS queries to its Command and Control (C&C) servers (malicious DNS servers) for bot communication. We have investigated the detection and blocking the direct outbound DNS queries by using MySQL at an early stage. However, the network latency was arising as a critical issue. In this advanced research, we propose a policybased detection and blocking system for abnormal direct outbound DNS queries using DNS Response Policy Zones (DNS RPZ) in order to solve the issues. In this paper, we describe the design of the proposed system and introduce an implemented prototype system. In addition, we also describe the preliminary evaluation results per feature of the proposed system conducted on the prototype, and finally, we introduce the tasks planed for future work.

show abstract

Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications

Cited by 13 publications

References 15 publications

Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

A Survey on Botnets: Incentives, Evolution, Detection and Current Trends

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

Contact Info

Product

Resources

About