Query Log Analysis: Detecting Anomalies in DNS Traffic at a TLD Resolver

  • Pieter RobberechtsEmail author
  • Maarten Bosteels
  • Jesse Davis
  • Wannes Meert
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 967)


We present QLAD, an anomaly detection system that is designed for the high query volume and the specific nature of DNS traffic at a TLD resolver. QLAD integrates three components that implement the complete anomaly detection process, ranging from the ingression of raw traffic data to the visualisation of detected anomalies. With an initial analysis of query logs from the Belgian ccTLD registry, we showed that QLAD can archive data compactly, has a low computational cost and can detect a wide range of anomalies. We found several anomalies that are of interest to the registry operator, such as domain enumerations and DoS attacks. Other anomalies were caused by benign applications with unique traffic patterns. A user interface helps to distinguish these, but correctly identifying all anomalies remains a difficult and tedious task.


Anomaly detection DNS Internet security 



The authors acknowledge the partial support of KU Leuven Research Fund C14/17/070 and C22/15/015 (PR and JD), FWO-Vlaanderen SBO-150033 (JD and WM) and Interreg V A project NANO4Sports (PR and JD).


  1. 1.
    Alonso, R., Monroy, R., Trejo, L.: Mining IP to domain name interactions to detect DNS flood attacks on recursive DNS servers. Sensors 16(8), 1311 (2016)CrossRefGoogle Scholar
  2. 2.
    Ariyapperuma, S., Mitchell, C.J.: Security vulnerabilities in DNS and DNSSEC. In: Proceedings of the 2nd International Conference on Availability, Reliability and Security, pp. 335–342. IEEE Computer Society, Washington, DC (2007)Google Scholar
  3. 3.
    Baker, M.: Packetpig - open source big data security analysis.
  4. 4.
    Bär, A., Finamore, A., Casas, P., Golab, L., Mellia, M.: Large-scale network traffic monitoring with DBStream, a system for rolling big data analysis. In: 2014 IEEE International Conference on Big Data, pp. 165–170, October 2014Google Scholar
  5. 5.
    Bereziński, P., Jasiul, B., Szpyrka, M.: An entropy-based network anomaly detection method. Entropy 17(4), 2367–2408 (2015)CrossRefGoogle Scholar
  6. 6.
    Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutor. 16(1), 303–336 (2014)CrossRefGoogle Scholar
  7. 7.
    Cheng, T.H., Lin, Y.D., Lai, Y.C., Lin, P.C.: Evasion techniques: sneaking through your intrusion detection/prevention systems. IEEE Commun. Surv. Tutor. 14(4), 1011–1020 (2012)CrossRefGoogle Scholar
  8. 8.
    Dewaele, G., Fukuda, K., Borgnat, P., Abry, P., Cho, K.: Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures. In: Proceedings of the 2007 Workshop on Large Scale Attack Defense, pp. 145–152. ACM, New York (2007)Google Scholar
  9. 9.
    DNS-OARC: The DNS Statistics Collector, February 2016.
  10. 10.
    Gascon, H., Orfila, A., Blasco, J.: Analysis of update delays in signature-based network intrusion detection systems. Comput. Secur. 30(8), 613–624 (2011)CrossRefGoogle Scholar
  11. 11.
    Hesselman, C., Moura, G.C.M., Schmidt, R.d.O., Toet, C.: Increasing DNS security and stability through a control plane for top-level domain operators. IEEE Commun. Mag. 55(1), 197–203 (2017)Google Scholar
  12. 12.
    Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: NIS04-2: detection of DNS anomalies using flow data analysis. In: IEEE Globecom 2006, pp. 1–6 (2006)Google Scholar
  13. 13.
    Kreibich, C., Warfield, A., Crowcroft, J., Hand, S., Pratt, I.: Using packet symmetry to curtail malicious traffic. In: Proceedings of the 4th Workshop on Hot Topics in Networks (2005)Google Scholar
  14. 14.
    Lakhina, A., Crovella, M., Diot, C.: Diagnosing network-wide traffic anomalies. SIGCOMM Comput. Commun. Rev. 34(4), 219–230 (2004)CrossRefGoogle Scholar
  15. 15.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)CrossRefGoogle Scholar
  16. 16.
    Lee, Y., Lee, Y.: Toward scalable internet traffic measurement and analysis with hadoop. SIGCOMM Comput. Commun. Rev. 43(1), 5–13 (2012)CrossRefGoogle Scholar
  17. 17.
    Li, Z., Das, A., Zhou, J.: USAID: unifying signature-based and anomaly-based intrusion detection. In: Ho, T.B., Cheung, D., Liu, H. (eds.) PAKDD 2005. LNCS (LNAI), vol. 3518, pp. 702–712. Springer, Heidelberg (2005). Scholar
  18. 18.
    Mikle, O., Slany, K., Vesely, J., Janousek, T., Survy, O.: Detecting hidden anomalies in DNS communication. Technical report, CZ.NIC (2011)Google Scholar
  19. 19.
    Mockapetris, P.: Domain names - concepts and facilities. STD 13, RFC Editor, November 1987.
  20. 20.
    Newman, L.H.: What we know about Friday’s massive internet outage, October 2016.
  21. 21.
    NOMINET: NOMINET adds machine learning to Turing network analytics and monitoring tool, February 2017.
  22. 22.
    Nychis, G., Sekar, V., Andersen, D.G., Kim, H., Zhang, H.: An empirical evaluation of entropy-based traffic anomaly detection. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, pp. 151–156 (2008)Google Scholar
  23. 23.
    Satam, P., Alipour, H., Al-Nashif, Y., Hariri, S.: Anomaly behavior analysis of DNS protocol. JISIS 5(4), 85–97 (2015)Google Scholar
  24. 24.
    Shannon, C.E.: A mathematical theory of communication. SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)MathSciNetCrossRefGoogle Scholar
  25. 25.
  26. 26.
    SIDN Labs: SIDN Labs Open-Sources ENTRADA.
  27. 27.
    Silveira, F., Diot, C., Taft, N., Govindan, R.: ASTUTE: detecting a different class of traffic anomalies. In: Proceedings of the ACM SIGCOMM Conference, pp. 267–278 (2010)Google Scholar
  28. 28.
    Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICSSITE, vol. 50, pp. 466–483. Springer, Heidelberg (2010). Scholar
  29. 29.
    Teng, M.: Anomaly detection on time series. In: 2010 IEEE International Conference on Progress in Informatics and Computing, vol. 1, pp. 603–608 (2010)Google Scholar
  30. 30.
    Trostle, J., Van Besien, B., Pujari, A.: Protecting against DNS cache poisoning attacks. In: 6th IEEE Workshop on Secure Network Protocols, pp. 25–30 (2010)Google Scholar
  31. 31.
    Vallis, O., Hochenbaum, J., Kejariwal, A.: A novel technique for long-term anomaly detection in the cloud. In: Proceedings of the 6th USENIX Conference on Hot Topics in Cloud Computing, pp. 15. USENIX Association, Berkeley (2014)Google Scholar
  32. 32.
    Wullink, M., Moura, G.C.M., Muller, M., Hesselman, C.: ENTRADA: a high-performance network traffic data streaming warehouse. In: 2016 IEEE/IFIP Network Operations and Management Symposium, pp. 913–918. IEEE, April 2016Google Scholar
  33. 33.
    Yuchi, X., Wang, X., Lee, X., Yan, B.: A new statistical approach to DNS traffic anomaly detection. In: Cao, L., Zhong, J., Feng, Y. (eds.) ADMA 2010. LNCS (LNAI), vol. 6441, pp. 302–313. Springer, Heidelberg (2010). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Pieter Robberechts
    • 1
    Email author
  • Maarten Bosteels
    • 2
  • Jesse Davis
    • 1
  • Wannes Meert
    • 1
  1. 1.Department of Computer ScienceKU LeuvenLeuvenBelgium
  2. 2.DNS Belgium vzwLeuvenBelgium

Personalised recommendations