Design And Implementation Of The DNS Tunnel Detection Method Based On Cache Hit Ratio

DNS tunnel is widely used by many attackers to endanger network security nowadays.Because most firewalls do not filter DNS traffic and the campus network gateway does not intercept DNS traffic when users are not logged in,DNS tunnels are easily used by attackers to do harmful things such as data leakage.Most study of detecting DNS tunnel extracts features of DNS traffic and payload by resolving DNS packets,DNS log is rarely used as the data source of DNS tunnel detection methods,and current accuracy of detection result has room for further improvement.In order to solve the above problems,this paper proposes a DNS tunnel detection approach based on cache hit rate,and implements a DNS tunnel detection system based on the detection method.The specific research contents are as follows:1)This paper proposes a DNS tunnel detection method based on DNS cache hit rate.The feature of DNS cache hit rate can be extracted from DNS log via modifying the source code of DNS server.The experimental result shows that the difference of cache hit rate between the normal traffic log and the DNS tunnel traffic log is obvious.In this paper,DNS cache hit rate is combined with other features used in previous studies,so the DNS log can be represented as a seven dimensional vector to train the DNS tunnel Detection model using the random forest algorithm.Compared with different classification algorithms,it is proved that the method proposed in this paper has better accuracy.2)Based on the above detection method,this paper designs and implements a DNS tunnel detection system based on cache hit rate.The system includes four modules:system configuration module,data processing module,tunnel detection module and system application module.It not only implements the detection algorithm,but also realizes the visual configuration of DNS server,log data search and display,and system alert functions,which is helpful to guarantee the network security.The experimental result shows that the system can effectively detect the DNS tunnel traffic in the current network environment with timely warning notice,and provide effective security management for network administrators.