“…The payload analysis is an evaluation of a DNS query and/or the corresponding DNS response, while the traffic analysis is an evaluation of DNS traffic over a monitoring period (e.g., in terms of time, number of samples, etc.). The features of interest in payload analysis are, for example, unigram or bigram character frequencies of domains or subdomains [4], [5], FQDN length [11], [15], entropy [11], [13], [15], the first 512 bytes of a DNS response [12], and the number of labels [15]. Regarding traffic analysis, the usual features of interest are, for example, the number of flows [6], Jensen-Shannon divergence computed from DNS query payloads [7], access counts of resource records [8], average time interval between a query and its response [9], a combination of Principal Component Analysis (PCA) and mutual information [10], the number of queries per domain [13], and average query length per domain [14].…”