Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2007 : dns_anomalies
Passive Monitoring of DNS Anomalies
B. Zdrnja, N. Brownlee, and D. Wessels, "Passive Monitoring of DNS Anomalies", in Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA) 2007, Jul 2007, vol. 4579, pp. 129--139.
|   View full paper:    PDF    Related presentation    |  Citation:    BibTeX   |

Passive Monitoring of DNS Anomalies

Bojan Zdrnja 3
Nevil Brownlee 1, 3
Duane Wessels 2

CAIDA,San Diego Supercomputer Center,University of California, San Diego


The Measurement Factory, Inc.


University of Auckland, New Zealand

We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect unusual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam.

Keywords: dns, measurement methodology, passive data analysis
  Last Modified: Fri Oct-30-2015 11:20:25 PDT
  Page URL: