Design of Detecting Botnet Communication by Monitoring Direct Outbound DNS Queries

Abstract

Domain Name System is the most widely used protocol for domain name resolution in the Internet. Domain name resolution is necessary for most of Internet services and it is usually provided by DNS full resolvers. Unfortunately, many reports indicated that DNS protocol was also used in botnet communication recently. Botnet communications between bot-infected computers and Command and Control (C&C) servers are indispensable in botnet attacks and the involved DNS traffic may not use DNS full resolvers. More importantly, due to the popularity of DNS protocol it is difficult to simply block the DNS traffic from internal computers. Several related works have been launched but they only focus on DNS full resolvers. In this paper, we focus on monitoring direct outbound DNS queries and propose a new botnet communication detection method by collecting authoritative NS (Name Server) record and its IP address. We monitored all DNS traffic for about three months in our university and checked the destination IP addresses of direct outbound DNS queries in a third party security site to confirm the effectiveness of the proposed method. The results confirmed that about 19% IP addresses in average have hits per day which indicates that our proposed method is effective and the hit rate is acceptable for detailed investigation in real operation.