A Centralized Monitoring Infrastructure for Improving DNS Security

  • Manos Antonakakis
  • David Dagon
  • Xiapu Luo
  • Roberto Perdisci
  • Wenke Lee
  • Justin Bellmor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6307)


Researchers have recently noted (14; 27) the potential of fast poisoning attacks against DNS servers, which allows attackers to easily manipulate records in open recursive DNS resolvers. A vendor-wide upgrade mitigated but did not eliminate this attack. Further, existing DNS protection systems, including bailiwick-checking (12) and IDS-style filtration, do not stop this type of DNS poisoning. We therefore propose Anax, a DNS protection system that detects poisoned records in cache.

Our system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. We describe our classification features and machine learning model selection process while noting that the proposed approach is easily integrated into existing local network protection systems. To evaluate Anax, we studied cache changes in a geographically diverse set of 300,000 open recursive DNS servers (ORDNSs) over an eight month period. Using hand-verified data as ground truth, evaluation of Anax showed a very low false positive rate (0.6% of all new resource records) and a high detection rate (91.9%).


DNS Poisoning Attack Detection Local Network Protection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Nessus: The network vulnerability scanner,
  2. 2.
    OzymanDNS: Kaminsky DNS tunnel (2005),
  3. 3.
    DNS multi vendor patch: CVE-2008-1447 (March 2008),
  4. 4.
    CERT Advisory. Vulnerability Note VU-23495 - DNS implementations vulnerable to denial-of-service attacks via malformed DNS queries (August 2001)Google Scholar
  5. 5.
    Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a Dynamic Reputation System for DNS. In: Proceedings of the 19th USENIX Security Symposium (August 2010)Google Scholar
  6. 6.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and RequirementsGoogle Scholar
  7. 7.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034 - Resource Records for the DNS Security Extensions (2005),
  8. 8.
    Bellis, R., Phifer, L.: Test report: DNSSEC impact on broadband routers and firewalls (2008),
  9. 9.
    Bernstein, D.J.: Introduction to DNSCurve (2008),
  10. 10.
    Ccais/RNP (Brazilian Research Network CSIRT) and Vagner Sacramento. Vulnerability in the sending requests control of Bind versions 4 and 8 allows DNS spoofing (November 2002)Google Scholar
  11. 11.
    Callaway, D.: PorkBind - Recursive multi-threaded nameserver security scanner (2008),
  12. 12.
    Computer Academic Underground. bailiwicked_domain.rb (2008),
  13. 13.
    Team Cymru. The Darknet Project (2004),
  14. 14.
    Dagon, D., Antonakakis, M., Day, K., Luo, X., Lee, C., Lee, W.: Recursive DNS Architectures and Vulnerability Implications. In: Proceedings of the 16th NDSS, San Diego, CA (2009)Google Scholar
  15. 15.
    Dagon, D., Antonakakis, M., Vixie, P., Jinmei, T., Lee, W.: Increased DNS Forgery Resistance Through 0x20-Bit Encoding. In: Proceedings of the 15th ACM CCS, Alexandria, VA (2008)Google Scholar
  16. 16.
    Dagon, D., Provos, N., Lee, C., Lee, W.: Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In: Proceedings of 15th NDSS, San Diego, CA (2008)Google Scholar
  17. 17.
    DNSstufff. DNS Network Tools: Network Monitoring and DNS Monitoring (2008),
  18. 18.
    Duda, R., Hart, P., Stork, D.: Pattern Classification, 2nd edn. Wiley-Interscience, Hoboken (2000)Google Scholar
  19. 19.
    Elz, R., Bush, R.: (July 1997),
  20. 20.
    The Measurement Factory. DNS Survey: Cache Poisoners (2008),
  21. 21.
    Gummadi, K., Saroiu, S., Gribble, S.: King: Estimating latency between arbitrary internet end hosts. In: Procceding of the 2nd ACM SIGCOMM IMW (2002)Google Scholar
  22. 22.
  23. 23.
    Kaminsky, D.: Black ops 2008: It’s the end of the cache as we know it or: “64k should be good enough for anyone” (2008),
  24. 24.
    Karmasphere. The open reputation network (2006),
  25. 25.
    Klein, A.: BIND 9 DNS Cache Poisoning (2008),
  26. 26.
    Osterweil, E., Massey, D., Zhang, L.: Observations from DNSSEC deployment. In: Proceedings of the 3rd NPSec (2007)Google Scholar
  27. 27.
    Perdisci, R., Antonakakis, M., Luo, X., Lee, W.: WSEC DNS: Protecting Recursive DNS Resolvers from Poisoning Attacks. In: Proceedings of DSN-DCCS, Estoril, Lispon, July 2 (2009)Google Scholar
  28. 28.
    The Spamhaus Project. Lasso: The Spamhaus Don’t Route Or Peer List (2008),
  29. 29.
    The Spamhaus Project. PBL: The Policy Block List (2008),
  30. 30.
    The Spamhaus Project. XBL: Exploits block list (2008),
  31. 31.
    WIDE Project. The TOTD (‘trick or treat daemon’) dns proxy (January 2006),
  32. 32.
    Samosseiko, D.: The PARTNERKA - What is it, and why should you care? In: Proceedings of USENIX, Workshop on Hot Topics in Cloud Computing (2009)Google Scholar
  33. 33.
    Schuba, C.: Addressing weaknesses in the domain name system protocol. Master’s thesis, Purdue University (1993)Google Scholar
  34. 34.
    Ulevitch, D.: Phishtank: Out of the Net into the Tank (2009),
  35. 35.
    USDJ. Eugene E. Kashpureff pleaded guilty to unleashing malicious software on the internet (July 1997)Google Scholar
  36. 36.
    Vixie, P.: RFC 2671 - Extension Mechanisms for DNS, EDNS0 (1999),
  37. 37.
    Vixie, P.: DNS complexity. ACM Queue 5(3) (April 2007)Google Scholar
  38. 38.
    Wendlandt, D., Andersen, D., Perrig, A.: Perspectives: Improving ssh-style host authentication with multi-path probing. In: Proceedings of the Usenix ATC (June 2008)Google Scholar
  39. 39.
    Wessels, D.: DNS Cache Poisoners Lazy, Stupid, or Evil? (2002),
  40. 40.
    Witten, I., Frank, E.: Data mining: practical machine learning tools and techniques. In: Morgan Kaufmann Series in Data Management Systems. Morgan Kaufman, San Francisco (June 2005)Google Scholar
  41. 41.
    Yuan, L., Kant, K., Mohapatra, P., Chuah, C.: DoX: A Peer-to-Peer Antidote for DNS Cache Poisoning Attacks. In: ICC 2006 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Manos Antonakakis
    • 1
  • David Dagon
    • 1
  • Xiapu Luo
    • 1
  • Roberto Perdisci
    • 1
  • Wenke Lee
    • 1
  • Justin Bellmor
    • 1
  1. 1.Georgia Institute of TechnologyCollege of ComputingAtlantaUSA

Personalised recommendations