An Internet Wide View into DNS Lookup Patterns

TitleAn Internet Wide View into DNS Lookup Patterns
Publication TypeReports
Year of Publication2010
AuthorsHao S, Feamster N, Pandrangi R
Date Published2010///
InstitutionVeriSign Labs, School of Computer Science, Georgia Tech
Abstract

This paper analyzes the DNS lookup patterns from a largeauthoritative top-level domain server and characterizes how
the lookup patterns for unscrupulous domains may differ
from those for legitimate domains. We examine domains
for phishing attacks and spam and malware related domains,
and see how these lookup patterns vary in terms of both their
temporal and spatial characteristics. We find that malicious
domains tend to exhibit more variance in the networks that
look up these domains, and we also find that these domains
become popular considerably more quickly after their initial
registration time. We also note that miscreant domains ex-
hibit distinct clusters, in terms to the networks that look up
these domains. The distinct spatial and temporal character-
istics of these domains, and their tendency to exhibit simi-
lar lookup behavior, suggests that it may be possible to ulti-
mately develop more effective blacklisting techniques based
on these differing lookup patterns.