Using DNS for Network Measurement and Security Analysis

Background – The talk, delivered by senior security analysts from 360 Network Security Research Institute, introduces the history and current state of the DNS protocol and explains how extensive DNS data can be leveraged for large‑scale network measurement and security analysis.

DNS Overview – DNS is a foundational, ancient protocol that maps domain names to IP addresses, but its role extends far beyond simple resolution, influencing almost all internet services. The protocol’s complexity is evident from the rapid growth of related RFCs, reaching over 2,600 pages by 2019.

Network Measurement

1. DNS Hijacking Measurement – By randomising sub‑domains and probing various public DNS resolvers, a quantitative study of global DNS hijacking was performed. Findings include: UDP‑based DNS packets are more vulnerable; IPv4‑type queries are slightly more hijacked; 8.5% of autonomous systems exhibit hijacking (including large ISPs); and hijacking is often motivated by cost reduction and performance gains.

2. Measuring NTP Pool Usage via DNS – DNS data was used to analyse the NTP pool ecosystem. Results show roughly 4,000 NTP servers (75% IPv4, 25% IPv6) distributed across 97 countries, with only 2% located in China, mainly in economically developed regions. Sub‑domain analysis reveals three classification schemes (continent, country/region, provider) and that about 3% of NTP‑related DNS queries are invalid due to typos or bugs.

3. Other Measurements – Passive DNS (PDNS) enables large‑scale analyses such as CDN provider sizing, black‑gray market assessment, new gTLD usage, domain registration/备案 trends, and policy compliance evaluation.

Security Analysis

DNS‑based security analysis is divided into two categories: (a) direct analysis of DNS protocol and system vulnerabilities (e.g., DNS poisoning, hijacking, DoS attacks, NXNSAttack) and (b) using DNS data to detect security events (e.g., DNS tunnelling, reflection/amplification attacks, DGA, fast‑flux).

The DNSMon system, developed by 360, detects anomalies in DNS traffic in near‑real‑time (millions of QPS), correlates them with web, certificate, WHOIS, sandbox, and honeypot data, and applies deep‑learning models (word2vec, LSTM) to label malicious domains. It can automatically generate thousands of black‑listed or high‑risk domains per day without prior knowledge, and has been used to identify various malware families and illicit activities.

Conclusion – DNS is evolving toward greater privacy and security, and DNS data has become a valuable baseline for both network measurement and threat intelligence. Continuous analysis of DNS traffic offers critical insights into the future of the internet.

References 1. https://powerdns.org/dns-camel/ 2. https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-liu_0.pdf 3. https://dns.360.cn/ 4. https://en.wikipedia.org/wiki/Fast_flux