Domain Name System (DNS) tunneling, a stealthy attack that exploits DNS infrastructure, poses critical threats to dynamic networks and is evolving with emerging attack patterns. This study aims to accurately classify multi-pattern legitimate and malicious traffic and to identify previously unseen attack patterns. We focus on two core research questions: how to accurately classify known-pattern DNS queries and reliably identify unknown-pattern samples. The codified objective is to develop an unsupervised classification approach that integrates multi-pattern adaptation and the recognition of unknown patterns. We formalize the task as Emerging Pattern Classification and propose the Medium Neighbors Forest. It is a forest-based model that uses the “medium neighbor” mechanism and clustering to identify unknown patterns. Experiments verify that the proposed model effectively identifies unseen patterns, offering a new perspective for DNS tunneling detection.

The Domain Name System (DNS) plays a critical role in the functioning of the Internet, providing essential resolution services for nearly all user activities. In this work, we examine the hypothesis that individual users exhibit recurrent and distinctive patterns in their DNS query behavior, which can be leveraged to create unique and robust user fingerprints. Building on a publicly available dataset of real DNS traffic collected from a large-scale network, we evaluate the feasibility of user identification solely based on these behavioral DNS traces, independent of IP address stability. We conducted a comparative study of several machine learning models - including Naive Bayes, Random Forests, XGBoost, Multilayer Perceptrons, and Convolutional Neural Networks - on their ability to classify users based on domain category frequencies and derived statistical features. After extensive data preprocessing, dimensionality reduction, and feature selection, our best-performing model (CNN) achieves a classification accuracy of 86.7% across 1727 classes (unique IP addresses). The results confirm the viability of DNS-based user fingerprinting, even in the presence of dynamic IP addresses. Our approach opens new avenues for applications in network forensics and anomaly detection, while also raising important questions about privacy and ethical use of passive traffic analysis.

This study investigates the implementation of an analytical firewall on the Mikrotik Cloud Core Router (CCR) device for network protection against Domain Name System (DNS) and Synchronise Flood (SYN Flood attacks in the information technology infrastructure of the North Aceh Regency Government. DNS-based attacks and SYN Flood have demonstrated a significant disruptive capacity for the continuity of electronic public services, illustrating the urgency of robust security protocols on government infrastructure. The study implemented a quantitative-experimental approach, with methodological triangulation in empirical data acquisition through controlled attack simulations, firewall log analysis, and semi-structured interviews with technical personnel. Experiments are designed with variations in attack intensity to evaluate system resilience thresholds, while firewall log analysis facilitates the identification of anomalous patterns through detection algorithms. The analytics process applies parametric evaluation to temporal mitigation metrics, packet processing capacity, and operational implications on network performance, complemented by descriptive statistical analysis that explores data distribution and temporal trends. The results indicate the differential effectiveness of the specific firewall configuration against a specific attack typology, with an empirical determination of optimisation parameters for real-time mitigation. This research contributes to the corpus of knowledge regarding the security of government networks through the derivation of protective models that are adaptive to the operational characteristics of public infrastructure. The findings have substantive implications for cybersecurity policy formulation in the administrative context of local governments, with extensive significance for the implementation of network architectures that are resilient to volumetric attacks and protocol exploitation.

The aim of this paper is to deploy a custom backdoor on to a target machine (Metasploit/Windows) from the source machine (Kali Linux) in a virtual environment (Hypervisor -Windows). For the Virtual system, a wired network is used. The overall goal of the project is to deploy malware such as a backdoor, on devices connected to the infected network, to showcase the threat posed by such malicious software. This work proposes a framework for the AI-based deployment of effective custom backdoors within a virtualized environment. The local virtualization platforms have leveraged to create scalable, isolated, and reproducible sandboxes for backdoor research. This is achieved by carrying out an ARP (Address Resolution Protocol) spoofing attack. It is followed by manipulation of DNS (Domain Name System) server response to redirect the victim to a malicious site or intercept HTTP (Hyper-Text Transfer Protocol) response to enable downloading of malicious files on the target system. Hence, the trojan downloaded can be of any form, like a key-logger or Backdoor. The Backdoor will help us get full system access to the target site and we will be able to download and upload files on or from the target machine, thus effectively creating a backdoor.

The Domain Name System (DNS) constitutes an essential component of Internet infrastructure serving as a translator of human-readable domain names into machine-readable IP addresses. Although simple in its operation, DNS performance, especially its responsiveness, has a bearing on the user experience, web application performance, and network resilience. This research examines the responsiveness of DNS across several top-level domains (TLDs) including .com, .org, .net, .edu and the newer generic TLDs. tech and. xyz. Using a set of recursive DNS resolvers distributed globally, this research resolves TLDs in parallel over long durations to capture rich datasets. Systematic assessment is performed on response latency due to propounded factors such as TTLs, cache performance, the location of authoritative servers, and the efficiency of anycast routing. The employed techniques of real-time probing, latency aggregation, temporal sampling, and statistical smoothing aid in consistency, mitigating transient network disturbances. A hybrid analytical model of time-series analysis and decision-tree based classification is applied to cluster domains revealing performance profile similarities. The legacy TLDs were observed to outperform newer counterparts, sustaining the argument about the disparity of response times across TLDs, newer TLDs were found to lag due to immature infrastructure and poorly distributed name servers. These findings highlight DNS optimization needs, particularly for emerging TLDs to improve user experience and site responsiveness. As a practical reference for network architects and domain registrars, the paper provides a scoring framework for assessing the performance of a DNS at the TLD level.

Cite this article as: F. Asgarov, F. S. Duran, N. Samadov and Ş. Bahtiyar, “Blockchain based ownership and DNS configuration with ethereum rollups,” Electrica, 25, 0051, doi: 10.5152/electrica.2025.25005.

The Domain Name System (DNS) is a fundamental component of the Internet, yet its distributed and caching nature makes it susceptible to various attacks, especially cache poisoning. Although the use of random port numbers and transaction IDs has reduced the probability of cache poisoning, recent developments such as DNS Forwarder fragmentation and side-channel attacks have increased the possibility of cache poisoning. To counteract these emerging cache poisoning techniques, this paper proposes the DNS Cache Sensor (DNS-Sensor) system, which operates as a distributed sensor network for DNS security. Like environmental sensors monitoring physical parameters, DNS-Sensor continuously scans DNS cache records, comparing them with authoritative data to detect anomalies with sensor-grade precision. It involves checking whether the DNS cache is consistent with authoritative query results by continuous observation to determine whether cache poisoning has occurred. In the event of cache poisoning, the system switches to a disaster recovery resolution system. To expedite comparison and DNS query speeds and isolate the impact of cache poisoning on the disaster recovery resolution system, this paper uses a local top-level domain authoritative mirror query system. Experimental results demonstrate the accuracy of the DNS-Sensor system in detecting cache poisoning, while the local authoritative mirror query system significantly improves the efficiency of DNS-Sensor. Compared to traditional DNS, the integrated DNS query and DNS-Sensor method and local top-level domain authoritative mirror query system is faster, thus improving DNS performance and security.

Domain Name System (DNS) serves as a vital Internet component, which converts friendly domain names into their corresponding computer language IP addresses. Network service availability suffers from several cyber threats in DNS systems because Distributed Denial of Service (DDoS) attacks, spoofing, and cache poisoning expose data to unauthorized access and reduce service availability. The research examines virtualization technology, which serves as a DNS security enhancement solution to increase system resilience capacity. This work implements DNS security enhancements through virtualization elements that include threat isolation with service segmentation as well as automated recovery services with dynamic resource allocation to protect DNS systems against vulnerabilities. The framework demonstrated improvements through real-world deployment with case studies and simulations because it provided 98% improved service accessibility during DDoS attacks and decreased disaster recovery time by 60% at the same time as decreasing operational costs by 30%. The study displays extensive proof demonstrating that virtualization functions as a fundamental delivery method for fault tolerance as well as enables superior protection against preventing complex security threats and scalability features. The research findings demonstrate that DNS component protection together with fast disaster recovery capability receives vital security features from virtualization implementation. Security-conscious organizations plagued by evolving threats should adopt virtualization-based DNS service maintenance because it offers scalable and price-efficient delivery capabilities. Virtualization in DNS demonstrates itself as a strategic forward-thinking approach to create sustainable yet flexible protected online structures.

With the rapid growth of the Internet of Things, efficient resource discovery has become essential for effective resource management. Although Message Queuing Telemetry Transport is one of the most widely adopted IoT communication protocols, it lacks a native resource discovery mechanism or any resource discovery standards. The existing Message Queuing Telemetry Transport resource discovery relies on symmetric full-mesh synchronization, which causes excessive traffic and unacceptable latency as the system scales up: this restricts its use to only small-size deployments. To overcome these limitations, this paper proposes a Hierarchical Message Queuing Telemetry Transport resource discovery and distribution framework, inspired by the hierarchical design of the Domain Name System. By introducing hierarchical asymmetry, the framework reduces communication overhead, enhances scalability, and maintains efficient real-time query performance, as demonstrated by implementation and simulation results.

DNS is crucial for the Internet, but vulnerable due to plaintext traffic. Despite efforts to standardize Domain Name System (DNS) encryption, its adoption remains limited. Users often lack awareness of privacy risks and the knowledge to enable encryption. To address this, the IETF standardized a new protocol; Discovery of Designated Resolvers (DDR), enabling automatic discovery and upgrade from unencrypted to encrypted DNS traffic. In this study, we present an empirical investigation of the DDR protocol, focusing on its adoption, configuration, and the operational challenges associated with enabling automated transitions to encrypted DNS communication via DNS over Encryption (DoE) protocols. Our results reveal widespread misconfigurations, including incomplete and incorrect DDR configurations that prevent clients from successfully transitioning to encrypted resolvers. In over 99 % of observed cases, DDR-compliant clients may fail to upgrade to DoE due to these deployment issues, underscoring the limitations of DDR in the wild. Additionally, we note a severe resolver consolidation induced by current DDR deployments, as >97 % of DDR-enabled resolvers delegate to major DNS cloud providers, raising concerns about privacy and governance.

This research presents an automated server infrastructure management system integrating Python, Terraform, Ansible, MySQL, and the DigitalOcean API for dynamic DNS management, tailored for educational environments requiring rapid provisioning of uniform server configurations. It automates server deployment on the Hetzner platform, configuration standardization, and horizontal and vertical scaling. Objective to develop a scalable, automated infrastructure management system that can adapt to dynamic educational and operational requirements. Methodology: Python scripts have been utilized to generate Terraform configurations, thereby facilitating the creation of servers within the Hetzner cloud provider. The script employs the DigitalOcean API to automate Domain Name System (DNS) records, while Ansible is employed to ensure consistent server configurations. MySQL plays a pivotal role in providing real-time infrastructure monitoring and scaling. Scientific Novelty: The proposed system represents a significant advance in the field of scientific innovation by addressing the critical issue of infrastructure as code (IaC) optimization. It achieves this advancement by employing a formal M/G/с queue model, a methodical approach that has been empirically validated through analytical and experimental analyses. The efficacy of this model is evident in its ability to reduce deployment time by 50% compared to conventional IaC tools such as Puppet, Chef, and Ansible. Furthermore, its superior performance is pronounced, with a 90% reduction in deployment time when compared to manual methods. Results: The results of the experiment show that when using the Terraform infrastructure management tool, the deployment time of computing nodes remains unchanged regardless of their number. Specifically, deploying both two and five servers on the Hetzner platform takes an average of 270 seconds. This indicates a high degree of process parallelism and the scalability of the solution at this stage of infrastructure initialization. The configuration process is completed in 30-40 seconds. These results indicate a 90% reduction in configuration errors and an 80% reduction in costs for deploying 100 servers per month for laboratory or test tasks. The script allows for the execution of server templates only when necessary, for example, during laboratory sessions. The startup time is 4 minutes and 30 seconds, which enables the rapid provision of a working number of servers, sites, or applications for training. Conclusions: The system has been shown to enhance deployment efficiency, reduce operating costs, and broaden the range of possible applications in education, scientific research, and business. Future Research: Planned enhancements include multi-cloud integration (AWS, Google Cloud) for improved resilience, Kubernetes orchestration for containerized workloads, a web-based management interface to enhance usability, and machine learning–based predictive analytics for optimized resource scaling. These upgrades will expand the system’s flexibility and applicability.

L2R-MLP: A Multilabel Classification Scheme for the Detection of DNS Tunneling

Cybersecurity threats and attacks are increasing day by day, bringing real focus on Domain Name System (DNS)–based data exfiltration—a stealth technique used by attackers to steal sensitive information from compromised networks. DNS query exchange is the initial part of any data exchange in the Internet and is the most neglected in traditional monitoring systems. These enable attackers to create covert channels to carry out various advanced persistent threats and unauthorized exfiltration attempts. In this research study, we present a novel detection approach of these DNS patterns through low-dimensional latent representations extracted via a Tabular-Variational AutoEncoder (Tab-VAE), specifically tailored for DNS-over-HTTPS (DoH) traffic. The latent space obtained by the Tab-VAE is subsequently fed into a multi-head self-attention classifier to perform a multi-class classification. We evaluated our experiments using the BCCC-CIC-Bell-DNS-2024 dataset, which provides a realistic snapshot of DoH traffic patterns. Notably, the proposed model demonstrated robust generalization across varying batch sizes and achieved competitive performance metrics with an improved accuracy of 80% and precision score of 75% for a batch size of 128. These findings highlight the potential of advanced machine learning architectures in reinforcing cybersecurity posture. By integrating such techniques, organizations can improve the detection of covert DNS-based attacks and better protect sensitive assets against emerging threats. Received: 28 February 2025 | Revised: 4 July 2025 | Accepted: 22 July 2025 Conflicts of Interest The authors declare that they have no conflicts of interest to this work. Data Availability Statement The data supporting the findings of this study are openly available in Behaviour-Centric Cybersecurity Center (BCCC) at https://www.yorku.ca/research/bccc/ucs-technical/cybersecurity-datasets-cds/. Author Contribution Statement Ravi Veerabhadrappa: Conceptualization, Methodology, Software, Formal analysis, Investigation, Resources, Data curation, Writing – original draft, Visualization, Project administration. Poornima Athikatte Sampigerayappa: Validation, Writing – review & editing, Supervision, Project administration.

The Encrypted Client Hello (ECH) extension to Transport Layer Security (TLS) and the new type of Domain Name System (DNS) records called HTTPS represent the latest efforts to improve user privacy by encrypting the server’s domain name during the TLS handshake. While prior studies have assessed ECH adoption from the server perspective, little is known about its usage in the wild from a passive network standpoint. In this paper, we present the first passive analysis of ECH and HTTPS DNS adoption using a month-long dataset collected from an operational network. We find that HTTPS DNS queries already make up approximately 8% of total DNS traffic, although responses to those queries are often incomplete, leading to increased query volume. Furthermore, 59% of QUIC flows include ECH, although only a negligible fraction is directed to servers supporting it. The remaining ECH flows are composed of GREASE values, intended to prevent protocol ossification. Our findings provide new insights into the current state and challenges in deploying privacy-enhancing protocols at scale.

ABSTRACTBotnets remain one of the most significant threats in Internet security, performing large‐scale attacks such as distributed denial of service (DDoS), data exfiltration, and financial fraud. Detecting botnet activity at the host level is crucial for early mitigation, particularly by analyzing anomalies in domain name system (DNS) query sequences. This study proposes a deep learning‐based DNS sequence analysis that leverages Bidirectional Gated Recurrent Units (BiGRU) to identify deviations in DNS query behavior indicative of botnet activity. The model learns temporal patterns in DNS sequences, distinguishing legitimate traffic from botnet‐generated queries by capturing contextual dependencies over time. The proposed approach is trained and evaluated on a UNSW‐NB15 dataset. The performance assessment of the proposed model demonstrates its effectiveness in detecting botnets with an accuracy of 99.22%. The comparative analysis with the existing approaches highlights the improvements in detection accuracy with a low misclassification rate.

This study aims to enhance the theoretical and methodological foundations for researching territorial identity within the context of the digital transformation of social space. Using Kyiv as a case study, the research substantiates the use of Domain Name System (DNS) data and search queries to investigate territorial identity and its manifestations in the online environment. The study focuses on identifying spatial representations, particularly through the use of identity markers. A methodology for applying the Domain Name System and Internet search queries to the study of territorial identity is proposed, with a rationale for its stages. The scientific novelty lies in the development and systematization of search query categories for identifying identity markers, including those specific to Kyiv. The research results emphasize the significance of cyberspace as a legitimate environment for exploring territorial identity.

This study investigates the detection of Domain Name System over HTTPS (DoH) spoofing attacks utilizing the CIRA-CIC-DoHBrw-2020 dataset, which encompasses over 100,000 labeled DNS records categorized as either normal or malicious. Features such as packet timing, packet size, and TLS parameters are utilized for detection purposes. A systematic feature selection process is conducted utilizing the Elbow and Kneedle methods based on F-Score values derived from a built-in model evaluation. This method ensures that the top features are selected objectively and quantitatively, thereby enhancing the robustness of the model. The model is trained using the five most significant features, yielding exceptional performance metrics: a training time of just 0.5727 seconds, an inference time of 0.0157 seconds, and an inference latency of 0.0035 milliseconds per sample. Moreover, the model delivers an outstanding accuracy of 0.9995, an F1-Score of 0.9995, and an AUC-ROC of 1.0000, reflecting near-perfect detection capabilities. The classification report reveals a balanced distribution of precision, recall, and F1-Scores of 1.00 across both normal and malicious classes, based on a test sample of 14,974 entries. The Elbow plot visually confirms the optimal number of features utilized, while the SHAP beeswarm plot provides insights into how each selected feature contributes to the model’s predictions, facilitating interpretability. Additionally, the confusion matrix corroborates the model's reliability, showcasing that nearly all samples were accurately classified. The results demonstrate that the proposed methodology significantly enhances the effectiveness of DNS spoofing detection, offering a promising avenue for securing DNS over HTTPS communications.

Malicious domains are one of the main resources mandatory for adversaries to run attacks over the Internet. Owing to the significant part of the domain name system (DNS), detailed research has been performed to detect malicious fields according to their unique behaviour, which is considered in dissimilar stages of the DNS life cycle queries and explanations. The DNS has played a crucial role in the evolution of the Internet. Its primary objective is to simplify user experience by converting a website’s Internet Protocol (IP) address into a recognizable domain name and vice versa. Identifying these adverse fields is meaningful in contesting increased network attacks. Artificial intelligence (AI) is applied to develop the areas of malicious domain recognition and hindrance by the probability to improve robust, efficient, and scalable malware detection units. AI methods have expressed significant results in malicious domain detection. This manuscript presents an Enhance Malicious Domain Detection Using an Attention-Based Deep Learning Model with Optimization Algorithms (EMDD-ADLMOA) technique. The proposed EMDD-ADLMOA technique relies on improving malicious domain detection in cybersecurity. Initially, the min–max scaling method is utilized in the pre-processing phase to convert input data into an appropriate design. For feature selection (FS), the proposed EMDD-ADLMOA technique utilizes the quantum-inspired firefly algorithm (QIFA) model. Furthermore, the hybrid model of a temporal convolutional network and bi-directional long short-term memory with squeeze-and-excitation Attention (TCN-BiLSTM-SEA) model is employed for the classification process. Finally, the parrot optimization (PO) model optimally fine-tunes the hyperparameter values of the TCN-BiLSTM-SEA model. The performance results of the EMDD-ADLMOA approach are verified under a malicious dataset. The experimental validation of the EMDD-ADLMOA approach portrayed a superior accuracy value of 98.52% over existing techniques.

The Domain Name System (DNS) is a key part of the Internet, and it is used for global domain name resolution. However, it has security risks due to its centralized or semi-centralized design and reliance on a few root servers. To improve DNS security and long-term stability, this study proposes the consensus roots system, a blockchain-based distributed domain architecture. The system uses a 1 + N master-subchain structure to solve the problem of trust and data synchronization across blockchains. The master chain acts as a relay and uses Hyperledger Fabric, a consortium blockchain platform, to support semi-centralized cross-chain communication. Subchains are local blockchains that need to connect with the master chain. To ensure safe and reliable transactions, the system uses a staged-proposal atomic swap method on the master chain. Compared to prior approaches, this work introduces a cross-chain architecture that enables more efficient trust synchronization, reducing latency and improving scalability without compromising security.

With the increasing number of cyber threats and the growing complexity of attacks on network infrastructures, the need for effective methods to detect malicious activities has become critically important. One of the key attack vectors is the Domain Name System (DNS), which plays a fundamental role in internet communication. Although DNS is essential for every end user, it often remains unnoticed and unprotected, making it vulnerable to abuses such as DDoS attacks, attack surface reconnaissance, and data exfiltration. The aim of this study is to develop a method for automated analysis of DNS traffic to enable early detection of suspicious patterns and prevent potential attacks. To achieve this, open-source tools, publicly available databases, and log files from a real authoritative DNS server are utilized. The methodology includes analysing the frequency and type of DNS queries, as well as evaluating the IP addresses from which they originate. The results of the analysis demonstrate that automated processing of DNS logs allows for the identification of anomalous query patterns associated with malicious activities. Systematic monitoring of DNS traffic provides an opportunity for early threat detection and faster implementation of protective measures. The proposed approach enhances cybersecurity mechanisms by strengthening threat intelligence capabilities and automating the detection process. This underscores the significance of the research and the necessity of continuously improving protection methods in the dynamic landscape of cybersecurity.