Analyzing Enterprise DNS Traffic to Classify Assets and Track Cyber-Health

by   Minzhao Lyu, et al.

The Domain Name System (DNS) is a critical service that enables domain names to be converted to IP addresses (or vice versa); consequently, it is generally permitted through enterprise security systems (e.g., firewalls) with little restriction. This has exposed organizational networks to DDoS, exfiltration, and reflection attacks, inflicting significant financial and reputational damage. Large organizations with loosely federated IT departments (e.g., Universities and Research Institutes) often do not even fully aware of all their DNS assets and vulnerabilities, let alone the attack surface they expose to the outside world. In this paper, we address the "DNS blind spot" by developing methods to passively analyze live DNS traffic, identify organizational DNS assets, and monitor their health on a continuous basis. Our contributions are threefold. First, we perform a comprehensive analysis of all DNS traffic in two large organizations (a University Campus and a Government Research Institute) for over a month, and identify key behavioral profiles for various asset types such as recursive resolvers, authoritative name servers, and mixed DNS servers. Second, we develop an unsupervised clustering method that classifies enterprise DNS assets using the behavioral attributes identified, and demonstrate that our method successfully classifies over 100 DNS assets across the two organizations. Third, our method continuously tracks various health metrics across the organizational DNS assets and identifies several instances of improper configuration, data exfiltration, DDoS, and reflection attacks. We believe the passive analysis methods in this paper can help enterprises monitor organizational DNS health in an automated and risk-free manner.


page 1

page 6

page 7

page 14


NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities

The Domain Name System (DNS) infrastructure, a most critical system the ...

Monitoring Security of Enterprise Hosts via DNS Data Analysis

Enterprise Networks are growing in scale and complexity, with heterogene...

System Attack Modeling Techniques Critical Information Infrastructure

Every day around the world, various organizations are exposed to more th...

A wrinkle in time: A case study in DNS poisoning

The Domain Name System (DNS) provides a translation between readable dom...

Characterizing the VPN Ecosystem in the Wild

With the shift to working remotely after the COVID-19 pandemic, the use ...

Source Address Validation

Source address validation (SAV) is a standard formalized in RFC 2827 aim...

Mending Wall: On the Implementation of Censorship in India

This paper presents a study of the Internet infrastructure in India from...

Please sign up or login with your details

Forgot password? Click here to reset