Semantic Exploration of DNS

  • Samuel Marchal
  • Jérôme François
  • Cynthia Wagner
  • Thomas Engel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7289)


The DNS structure discloses useful information about the organization and the operation of an enterprise network, which can be used for designing attacks as well as monitoring domains supporting malicious activities. Thus, this paper introduces a new method for exploring the DNS domains. Although our previous work described a tool to generate existing DNS names accurately in order to probe a domain automatically, the approach is extended by leveraging semantic analysis of domain names. In particular, the semantic distributional similarity and relatedness of sub-domains are considered as well as sequential patterns. The evaluation shows that the discovery is highly improved while the overhead remains low, comparing with non semantic DNS probing tools including ours and others.


  1. 1.
    Backtrack linux - penetration testing distribution (accessed on 08/22/11),
  2. 2.
    Antonakakis, M., Dagon, D., Luo, X., Perdisci, R., Lee, W., Bellmor, J.: A Centralized Monitoring Infrastructure for Improving DNS Security. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 18–37. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: Finding malicious domains using passive dns analysis. In: Network and Distributed System Security Symposium, NDSS (2011)Google Scholar
  4. 4.
    Budanitsky, A., Hirst, G.: Evaluating wordnet-based measures of lexical semantic relatedness. Comput. Linguist. 32 (March 2006)Google Scholar
  5. 5.
    Crawford, H., Aycock, J.: Kwyjibo: automatic domain name generation. Software Practice and Experience 38, 1561–1567 (2008)CrossRefGoogle Scholar
  6. 6.
    Dagon, D., Lee, W.: Global internet monitoring using passive dns. In: Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pp. 163–168. IEEE Computer Society, Washington, DC (2009)CrossRefGoogle Scholar
  7. 7.
    Faltstrom, P., Hoffman, P., Costello, A.: Internationalizing Domain Names in Applications (IDNA). RFC 3490 (Proposed Standard) (March 2003),, obsoleted by RFCs 5890, 5891
  8. 8.
    Hao, S., Feamster, N., Pandrangi, R.: An internet wide view into DNS lookup patterns. Tech. rep., School of Computer Science, Georgia Tech (June 2010)Google Scholar
  9. 9.
    Hindle, D.: Noun classification from predicate-argument structures. In: 28th Annual Meeting on Association for Computational Linguistics, ACL. Association for Computational Linguistics (1990)Google Scholar
  10. 10.
    Kamra, A., Feng, H., Misra, V., Keromytis, A.: The effect of dns delays on worm propagation in an ipv6 internet. In: Proceedings of IEEE Infocom. IEEE, Miami (2005)Google Scholar
  11. 11.
    Kilgarriff, A.: Thesauruses for natural language processing. In: Natural Language Processing and Knowledge Engineering (October 2003)Google Scholar
  12. 12.
    Kolb, P.: Experiments on the difference between semantic similarity and relatedness. In: 17th Nordic Conference of Computational Linguistics NODALIDA. Northern European Association for Language Technology (2009)Google Scholar
  13. 13.
    Lin, D.: Automatic retrieval and clustering of similar words. In: 17th International Conference on Computational Linguistics - COLING. Association for Computational Linguistics (1998)Google Scholar
  14. 14.
    Manning, C.D., Schütze, H.: Foundations of Statistical Natural Language Processing. MIT Press, Cambridge (1999)zbMATHGoogle Scholar
  15. 15.
    Mockapetris, P.: Rfc 1035: Domain names - implementation and specificationGoogle Scholar
  16. 16.
    Mockapetris, P.: Rfc 1034: Domain names - concepts and facilities (1987)Google Scholar
  17. 17.
    Mockapetris, P., Dunlap, K.: Development of the domain name system. In: Proceedings of the 1988 ACM SIGCOMM, pp. 123–133. IEEE Computer Society, Stanford (1988)Google Scholar
  18. 18.
    Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive dns traces. In: Proceedings of ACSAC 2009, pp. 311–320 (2009)Google Scholar
  19. 19.
    Plonka, D., Barford, P.: Context-aware clustering of dns query traffic. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, IMC 2008, pp. 217–230. ACM, New York (2008)CrossRefGoogle Scholar
  20. 20.
    Segaran, T., Hammerbacher, J.: Beautiful Data: The Stories Behind Elegant Data Solutions, ch. 14. O’Reilly Media (2009),
  21. 21.
    Wagner, C., François, J., State, R., Engel, T., Dulaunoy, A., Wagener, G.: Sdbf: Smart dns brute-forcer. In: To Appear in IEEE/IFIP Network Operations and Management Symposium - NOMS, Miniconference. IEEE Computer Society (2012)Google Scholar
  22. 22.
    Weimer, F.: Passive DNS replication. In: Conference on Computer Security Incident Handling (2005)Google Scholar
  23. 23.
    Weir, M., Aggarwal, S., Medeiros, B.D., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Symposium on Security and Privacy. IEEEGoogle Scholar
  24. 24.
    Yadav, S., Reddy, A.K.K., Reddy, A.N., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th Annual Conference on Internet Measurement, IMC 2010, pp. 48–61. ACM, New York (2010)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Samuel Marchal
    • 1
  • Jérôme François
    • 1
  • Cynthia Wagner
    • 1
  • Thomas Engel
    • 1
  1. 1.SnT - University of LuxembourgLuxembourg

Personalised recommendations