search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Passive Detection of Misbehaving Name Servers

Technical Report
By
In this report, the authors explore name-server flux and two types of data that can reveal it.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2013-TR-010
DOI (Digital Object Identifier)
10.1184/R1/6576071.v1
Subjects

Abstract

In the process of categorizing malicious domains, distinguishing between suspicious and benign name servers can allow the name servers themselves to be acted against. Name servers do not normally change internet protocol (IP) addresses frequently. Domains that do change IP addresses quickly or often are said to exhibit IP flux, which can allow services, such as web pages that deliver malicious content, to circumvent defenders' attempts to block their IP addresses. IP flux in a name server's domain may be a sign that the name server is suspicious. This report demonstrates that name-server flux exists and is ongoing. Furthermore, there are two types of data that can reveal IP flux in domain name system (DNS) servers: passively collected DNS messages and the contents of several large, top-level domains' official zone files. 

SHARE
Download PDF
Cite This Technical Report

Metcalf, L., & Spring, J. (2013, October 4). Passive Detection of Misbehaving Name Servers. (Technical Report CMU/SEI-2013-TR-010). Retrieved April 20, 2024, from https://doi.org/10.1184/R1/6576071.v1.

@techreport{metcalf_2013,
author={Metcalf, Leigh and Spring, Jonathan},
title={Passive Detection of Misbehaving Name Servers},
month={Oct},
year={2013},
number={CMU/SEI-2013-TR-010},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6576071.v1},
note={Accessed: 2024-Apr-20}
}

Metcalf, Leigh, and Jonathan Spring. "Passive Detection of Misbehaving Name Servers." (CMU/SEI-2013-TR-010). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, October 4, 2013. https://doi.org/10.1184/R1/6576071.v1.

L. Metcalf, and J. Spring, "Passive Detection of Misbehaving Name Servers," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2013-TR-010, 4-Oct-2013 [Online]. Available: https://doi.org/10.1184/R1/6576071.v1. [Accessed: 20-Apr-2024].

Metcalf, Leigh, and Jonathan Spring. "Passive Detection of Misbehaving Name Servers." (Technical Report CMU/SEI-2013-TR-010). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 4 Oct. 2013. https://doi.org/10.1184/R1/6576071.v1. Accessed 20 Apr. 2024.

Metcalf, Leigh; & Spring, Jonathan. Passive Detection of Misbehaving Name Servers. CMU/SEI-2013-TR-010. Software Engineering Institute. 2013. https://doi.org/10.1184/R1/6576071.v1

Ask a question about this Technical Report