Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2007 : dns_anomalies
Passive Monitoring of DNS Anomalies
B. Zdrnja, N. Brownlee, and D. Wessels, "Passive Monitoring of DNS Anomalies", in Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Jul 2007, vol. 4579, pp. 129--139.
|   View full paper:    PDF    Related Presentation    |  Citation:    BibTeX    Resource Catalog   |

Passive Monitoring of DNS Anomalies

Bojan Zdrnja3
Nevil Brownlee1, 3
Duane Wessels2

CAIDA, San Diego Supercomputer Center, University of California San Diego


The Measurement Factory, Inc.


University of Auckland, New Zealand

We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect unusual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam.

Keywords: dns, measurement methodology, passive data analysis
  Last Modified: Tue Nov-17-2020 04:47:03 UTC
  Page URL: