The Implementation And Application Of Passive DNS System

The Domain Name System (DNS) is one of the most important infrastructure in theInternet, which provides a global mapping service between domain names and IPaddresses. Lots of Internet applications rely on DNS service, thus while thesecurity of DNS service may affect the running of these applications, theirdeployments and usages will be relected by DNS resolutions as well. Furthermore, theevidence of security events in the Internet may also be discovered from DNStraffic. Obviously, the collection and analysis of DNS resolution data are usefulfor the research on operations of Internet applications, security of DNS andeven the whole Internet.This thesis sets up a passive DNS platform to collect DNS traffic from the backbone network between CERNET and UNICOM. By now, we choose the collected data (about120G of size, about200million of the number of records) from January2014to March2014for analysis. Specifically, the main contributions of this thesis are as follows:Firstly, we design and implement a passive DNS platform for backbone networkenvironment. According to the investigation on pros and cons of previous DNS trafficcollecting system, we decide to set up a passive DNS system to collect DNS datain backbone network, rather than on DNS resolvers. We collect DNS traffic fromthe backbone network between CERNET and Unicom and set up a DNS history databasecalled DNSDB. The design of our passive DNS platform makes DNS traffic more diverse and thusmakes our analysis and research on Internet application and DNS security morecomprehensive. Secondly, we make a lot of statistical and correlation analysis on DNS traffic in DNSDB, whichis useful to understand the current status of DNS resolution behavior. On onehand, we make statistical analysis on some key features of DNS resolutions toextract a global view on the deployment of Internet application and theoperation of DNS. On the other hand, we make correlations among collected domainnames and study DNS zone dependency issue from domain delegation and domainalias respectively. We also discuss the cause and mitigation for zone dependencyproblem.Thirdly, we design a DNS anomaly extraction method based on the DNScharacteristics of some common attacks and do case studies on several securityevents. According to the result of our statistical analysis and DNS behavior ofsome common attacks, we design a method to extract DNS anomalies based on eightfeatures:DNS TTL, response content, the number of requests per second, lengthof domain name, level of domain name, the number of subdomains, the number of IPaddresses for a domain and the number of domain names for an IP address. We alsomake further statistical and forensic analysis on the extracted DNS anomalytraffic, from perspectives of DDoS, DNS hijack, Fast-flux, Special usages of DNSand abnormal responses.