Analysis of DNS TXT Record Usage and Consideration of Botnet Communication Detection

Hikaru ICHISE  Yong JIN  Katsuyoshi IIDA  

IEICE TRANSACTIONS on Communications   Vol.E101-B   No.1   pp.70-79
Publication Date: 2018/01/01
Online ISSN: 1745-1345
Type of Manuscript: Special Section PAPER (Special Section on Internet Technologies to Accelerate Smart Society)
botnet communication,  DNS TXT record,  via-resolver DNS query,  direct outbound DNS query,  and indirect outbound DNS query,  

Full Text: PDF(1.6MB)
>>Buy this Article

There have been several recent reports that botnet communication between bot-infected computers and Command and Control servers (C&C servers) using the Domain Name System (DNS) protocol has been used by many cyber attackers. In particular, botnet communication based on the DNS TXT record type has been observed in several kinds of botnet attack. Unfortunately, the DNS TXT record type has many forms of legitimate usage, such as hostname description. In this paper, in order to detect and block out botnet communication based on the DNS TXT record type, we first differentiate between legitimate and suspicious usages of the DNS TXT record type and then analyze real DNS TXT query data obtained from our campus network. We divide DNS queries sent out from an organization into three types — via-resolver, and indirect and direct outbound queries — and analyze the DNS TXT query data separately. We use a 99-day dataset for via-resolver DNS TXT queries and an 87-day dataset for indirect and direct outbound DNS TXT queries. The results of our analysis show that about 30%, 8% and 19% of DNS TXT queries in via-resolver, indirect and direct outbound queries, respectively, could be identified as suspicious DNS traffic. Based on our analysis, we also consider a comprehensive botnet detection system and have designed a prototype system.