WCSE

Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ

Abstract— Bot-infected computers sending direct outbound DNS queries without obtaining the information of authoritative DNS servers from the DNS full resolvers set up in the internal network have become a critical security issue nowadays. In DNS protocol, the domain name resolution process obtains the information of necessary authoritative DNS name servers (NS records) at the beginning and then achieves the answers of the original DNS queries which is accomplished via the DNS full-service resolvers. However, some types of bot programs violate the DNS protocol process and send the direct outbound DNS queries to its Command and Control (C&C) servers (malicious DNS servers) for bot communication. We have investigated the detection and blocking the direct outbound DNS queries by using MySQL at an early stage. However, the network latency was arising as a critical issue. In this advanced research, we propose a policybased detection and blocking system for abnormal direct outbound DNS queries using DNS Response Policy Zones (DNS RPZ) in order to solve the issues. In this paper, we describe the design of the proposed system and introduce an implemented prototype system. In addition, we also describe the preliminary evaluation results per feature of the proposed system conducted on the prototype, and finally, we introduce the tasks planed for future work.

Index Terms—Botnet, abnormal DNS traffic, DNS, NS record, RPZ, SDN, and direct outbound DNS query

Hikaru Ichise, Yong Jin
Tokyo Institute of Technology, Tokyo, JAPAN
Katsuyoshi Iida
Hokkaido University, Sapporo, JAPAN

[Download]

Cite:Hikaru Ichise, Yong Jin, Katsuyoshi Iida, "Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ, " Proceedings of 2022 the 12th International Workshop on Computer Science and Engineering (WCSE 2022), pp. 327-332, June 24-27, 2022.