Unlocking DNS: Measuring Networks and Detecting Threats with Data

1 DNS Overview

DNS is one of the oldest and most fundamental Internet protocols, mapping domain names to IP addresses. Beyond simple mapping, many modern services rely on DNS, making it a complex protocol with thousands of RFC pages.

Because DNS traffic reflects almost all Internet activities, analyzing DNS data can reveal malicious behavior. The article discusses two main uses: network measurement and security analysis.

2 Network Measurement

DNS Hijacking

DNS requests are mostly plaintext over UDP, making hijacking common. A joint measurement by Tsinghua University and 360 quantified global DNS hijacking using randomized subdomains across public resolvers, revealing that 8.5% of autonomous systems experience hijacking, with UDP packets more vulnerable, A‑type queries slightly higher, and primary motives likely financial and performance‑related.

Measuring NTP pool usage

Using DNS data, the NTP pool was measured, finding about 4,000 servers (25% IPv6) distributed across 97 countries, with only 2% located in China, mainly in economically developed regions. Subdomains are organized by continent, country/region, and provider; about 3% of requests are invalid due to typos or bugs. Provider‑based request statistics reveal usage patterns.

Other measurements

Passive DNS (PDNS) enables large‑scale measurements such as CDN size evaluation, black‑gray market assessment, new gTLD usage, domain registration and policy compliance, among others.

3 Security Analysis

DNS security analysis falls into two categories: attacks on the DNS protocol/system (e.g., poisoning, hijacking, pseudo‑random prefix DoS, NXNSAttack) and using DNS data to detect malicious activities (e.g., DNS tunneling, reflection amplification, DGA, Fastflux).

DNSMon – Threat Detection System

360’s DNSMon processes millions of DNS queries per second, correlates multi‑dimensional data, and applies deep‑learning models (word2vec, LSTM) to label malicious domains in near real‑time, automatically generating thousands of black‑ and high‑risk domains daily. Detected threats include mining worms, botnets, ad‑fraud campaigns, and other malicious software.

4 Summary

DNS is evolving toward greater privacy and security, and DNS data analysis is increasingly vital for both protocol measurement and threat intelligence. Exploring DNS as a rich data source offers significant opportunities for network measurement and security research.