DNS (Domain Name System)-based name resolution service is one of the most fundamental Internet services for the Internet users and application service providers. In normal DNS based domain name resolution, the corresponding NS records are required in prior to sending DNS query to the corresponding authoritative DNS servers. However, in recent years, DNS based botnet communication has been observed in which botnet related network traffic is transferred via DNS packets. In particular, it is observed in some malware that DNS queries are sent to C&C servers using IP address directly without obtaining the corresponding NS records. In this paper, we propose a novel mechanism to detect and block anomaly DNS traffic by analyzing the achieved NS record history in an organization network. In the proposed mechanism, all DNS traffic of an organization netwok will be captured and analyzed in order to extract the legitimate NS (Name Server) records and the corresponding glue A records (the IP address(es) of a name server) which will be stored in a white list database. Then all the outgoing DNS query packets will be checked and those destined to the IP addresses that not included in the white list will be blocked as anomaly DNS traffic. We have implemented a prototype system and evaluated the functionalities in an SDN-based experimental network. The results show that the prototype system works as expected and the proposed mechanism is capable of detecting and blocking some specific types of suspicious DNS traffic.
Web of Science ® の 関連論文(Related Records®)ビュー