Using DNS for Network Measurement and Security Analysis

Background – DNS is one of the oldest and most fundamental Internet protocols, providing the mapping between domain names and IP addresses. Over the years, hundreds of RFCs have been published, making the protocol far more complex than most users realize.

Because virtually every Internet service leaves traces in DNS queries and responses, DNS data serves as a rich source for both network measurement and security analysis.

DNS Overview – The number of DNS‑related RFC pages has grown steadily from 1984 to 2019, increasing by roughly 500 pages every four years since 1996, reflecting the protocol’s expanding scope.

DNS Hijacking Measurement – A joint study by Tsinghua University and 360 measured global DNS hijacking by sending randomized sub‑domain queries over UDP to many public DNS servers. Findings include: (1) UDP‑based DNS packets are more prone to hijacking; (2) A‑type (IPv4) requests are slightly more frequent; (3) Approximately 8.5% of autonomous domains experience hijacking, including large ISPs; (4) Hijacking appears aimed at reducing financial settlement costs and improving performance.

Tip: DNS Encryption – To mitigate the risks of clear‑text DNS, modern browsers (Firefox, Chrome, 360 Browser) and operating systems (Windows, macOS) now support DoT/DoH, and public DNS providers such as 360 Secure DNS also offer encrypted services.

Measuring NTP Pool with DNS Data – By analyzing DNS queries for the NTP pool, the study discovered about 4,000 servers (75% IPv4, 25% IPv6) spread across 97 countries, with only 2% located in China. Sub‑domain analysis revealed three classification schemes (continent, country/region, provider) and that roughly 3% of domain requests are invalid due to typos or bugs.

Passive DNS (PDNS) – PDNS collects historical DNS records, building a full mapping between domain names and their resolved data. 360’s PDNS system, launched in 2014, is the largest domestic dataset and enables large‑scale measurements such as CDN size estimation, illicit industry sizing, new gTLD usage, domain registration trends, and policy compliance.

Security Analysis – DNS security analysis can be divided into (a) protocol‑level attacks (e.g., DNS poisoning, hijacking, DoS, NXNSAttack) and (b) data‑driven threat detection (e.g., DNS tunneling, reflection/amplification, DGA, FastFlux). The DNSMon system, developed by 360, detects anomalies in DNS traffic, enriches them with web, certificate, WHOIS, sandbox, and threat‑intel data, and applies deep‑learning models (word2vec, LSTM) to label malicious domains. Its advantages include near‑real‑time processing of millions of queries per second, high automation, and the ability to block threats without prior knowledge.

Other Security Insights – Many attacks (e.g., DGA‑based botnets, fast‑flux networks) can be identified early through DNS data, and correlation of IP/domain indicators across DNS logs enables rapid threat intelligence generation.

Conclusion – DNS is evolving toward greater privacy and security, and analysis of DNS data is becoming increasingly vital for both network measurement and threat intelligence. The DNS data “treasure trove” offers ample opportunities for future research and practical security applications.

References 1. https://powerdns.org/dns-camel/ 2. https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-liu_0.pdf 3. https://dns.360.cn/ 4. https://en.wikipedia.org/wiki/Fast_flux