DETECTION AND MITIGATION OF MALICIOUS ACTIVITIES BASED ON DNS QUERY ANALYSIS

Authors

  • Georgi Markov Department of Information Technologies, Nikola Vaptsarov Naval Academy (BG)
  • Borislav Nikolov Department of Information Technologies, Nikola Vaptsarov Naval Academy (BG)

DOI:

https://doi.org/10.17770/etr2025vol2.8582

Keywords:

DNS query, automation, logging, Python script, cybersecurity

Abstract

With the increasing number of cyber threats and the growing complexity of attacks on network infrastructures, the need for effective methods to detect malicious activities has become critically important. One of the key attack vectors is the Domain Name System (DNS), which plays a fundamental role in internet communication. Although DNS is essential for every end user, it often remains unnoticed and unprotected, making it vulnerable to abuses such as DDoS attacks, attack surface reconnaissance, and data exfiltration. The aim of this study is to develop a method for automated analysis of DNS traffic to enable early detection of suspicious patterns and prevent potential attacks. To achieve this, open-source tools, publicly available databases, and log files from a real authoritative DNS server are utilized. The methodology includes analysing the frequency and type of DNS queries, as well as evaluating the IP addresses from which they originate. The results of the analysis demonstrate that automated processing of DNS logs allows for the identification of anomalous query patterns associated with malicious activities. Systematic monitoring of DNS traffic provides an opportunity for early threat detection and faster implementation of protective measures. The proposed approach enhances cybersecurity mechanisms by strengthening threat intelligence capabilities and automating the detection process. This underscores the significance of the research and the necessity of continuously improving protection methods in the dynamic landscape of cybersecurity.

Supporting Agencies
This work was supported by the National Scientific Program “Security and Defence”, adopted with RMS No. 731/21.10.2021, and financed by the Ministry of Education and Science of the Republic of Bulgaria according to Agreement No. D01-74/19.05.2022.

References

J. Ginesin and J. Mirkovic, Understanding DNS Query Composition at B-Root, 2022 IEEE/ACM International Conference on Big Data Computing, Applications and Technologies (BDCAT), Dec 06-09, 2022, Vancouver, WA, USA, pp. 265-270, doi: 10.1109/BDCAT56447.2022.00044

P. Mockapetris, "Domain names - concepts and facilities," RFC 1034, Nov. 1987. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc1034 [Accessed February 2, 2025].

P. Mockapetris, "Domain names - implementation and specification," RFC 1035, Nov. 1987. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc1035 [Accessed February 2, 2025].

R. Arends, R. Austein, M. Larson, D. Massey and S. Rose, "DNS Security Introduction and Requirements," RFC 4033, Mar. 2005. [Online]. Available: https://datatracker.ietf.org/doc/rfc4033/ [Accessed February 2, 2025].

Y. Wang, A. Zhou, S. Liao, R. Zheng, R. Hu and Lei Zhang, "A comprehensive survey on DNS tunnel detection," Computer Networks, vol. 197, 2021. doi: 10.1016/j.comnet.2021.108322

Y. Zhauniarovich, I. Khalil, T. Yu and M. Dacier, "A Survey on Malicious Domains Detection through DNS Data Analysis," ACM Computing Surveys, vol. 51, 2018. doi: 10.1145/3191329

I. Ghafir and V. Prenosil, DNS Traffic Analysis for Malicious Domains Detection, 2015 2nd International Conference on Signal Processing and Integrated Networks (SPIN), February 19-20, 2015, Noida, India.

A. Ramdas and R. Muthukrishnan, A servey on DNS Security Issues and Mitigation Techniques, Proceedings of the International Conference on Intelligent Computing and Control Systems (ICICCS 2019), June 27-28, 2019, Secunderabad, India.

K. Borgolte, T. Chattopadhyay, N. Feamster, M. Kshirsagar, J. Holland, A. Hounsel and P. Schmitt, "How DNS over HTTPS is Reshaping Privacy, Performance, and Policy in the Internet Ecosystem," SSRN Electronic Journal, 2019. doi:10.2139/ssrn.3427563

I. Dube and G. Wells, An Analysis of the Use of DNS for Malicious Payload Distribution, 2nd International Multidisciplinary Information Technology and Engineering Conference (IMITEC), November 25-27, 2020, Kimberley, South Africa. doi: 10.1109/IMITEC50163.2020.9334104

M. Luo, Q. Wang, Y. Yao, X. Wang, P. Yang and Z. Jiang, Towards Comprehensive Detection of DNS Tunnels, 2020 IEEE Symposium on Computers and Communications (ISCC), July 07-10, 2020, Rennes, France. doi: 10.1109/ISCC50000.2020.9219547

S. Lysenko, K. Bobrovnikova, O. Savenko and R. Shchuka, Technique for Cyberattacks Detection Based on DNS Traffic Analysis, Proceedings of the 16th International Conference on ICT in Education, Research and Industrial Applications. Integration, Harmonization and Knowledge Transfer. Volume II: Workshops, October 06-10, 2020, Kharkiv, Ukraine, pp. 171-182. Available: https://ceur-ws.org/Vol-2732/20200171.pdf. [Accessed February 2, 2025].

M. Antonakakis et al., Understanding the Mirai Botnet, Proceedings of the 26th USENIX Security Symposium, August 16–18, 2017, Vancouver, BC, Canada, pp. 1093-1110.

C. Xuan, T. Nikolaevich, N. Dam, N. Hoang and D. Long, "Malicious domain detection based on DNS query using Machine Learning," International Journal of Emerging Trends in Engineering Research, vol. 8, 2020, pp. 1809-1814. doi: 10.30534/ijeter/2020/53852020

BIND 9 - Versatile, classic, complete name server software – ISC – isc.org. https://www.isc.org/bind/ [Accessed January 21, 2025].

S. Ma, T. Pang, R. Cui and D. Yang, A Malicious Domain Detection Method Based on DNS Logs, 4th International Conference on Blockchain Technology and Information Security (ICBCTIS), August 17-19, 2024, Wuhan, China. doi: 10.1109/ICBCTIS64495.2024.00051

M. Stevanovic, J. M. Pedersen, A. D’Alconzo and S. Ruehrup, "A method for identifying compromised clients based on DNS traffic analysis," International Journal of Information Security, vol. 16, pp. 115–132, 2017. doi: 10.1007/s10207-016-0331-3

BIND 9 Administrator Reference Manual – ISC – isc.org. https://bind9.readthedocs.io/en/latest/reference.html#the-category-phrase [Accessed January 24, 2025].

Y. Lut, M. Wang, E. M. Redmiles and R. Cummings, How We Browse: Measurement and Analysis of Browsing Behavior, 2024 IEEE 6th International Conference on Cognitive Machine Intelligence (CogMI), October 28-30, 2024, Washington D.C., USA, pp. 257-264. doi: 10.1109/CogMI62246.2024.00041

D. Dimitrova, "Selection and Justification of Criteria for Comparative Analysis of Lightweight Ciphers," Mathematics and Informatics, vol. LXVI, no. 5, 2023, pp. 534–542. doi: 10.53656/math2023-5-8-sel

Y. Dechev, "Research on the impact of online learning on individual learning styles," Mathematics and informatics, vol. 66, no. 2, 2023, pp. 155-169. doi: 10.53656/math2023-2-5-res

M. Maroun and A. Ivanova, "Ontology-based approach for cybersecurity recruitment," AIP Conf. Proc., vol. 2333, 070014, March 2021. doi: 10.1063/5.0042320

Y. Huang, J. Negrete, A. Wosotowsky, J. Wagener, E. Peterson, A. Rodriguez and C. Fralick, Detect Malicious IP Addresses using Cross-Protocol Analysis, 2019 IEEE Symposium Series on Computational Intelligence (SSCI), December 6-9, 2019, Xiamen, China, pp. 664-672. doi: 10.1109/SSCI44817.2019.9003003

M. Sotirov, V. Petrova and D. Nikolova-Sotirova, Personalized Gamified Education: Feedback Mechanisms and Adaptive Learning Paths, 2024 8th International Symposium on Innovative Approaches in Smart Technologies (ISAS), December 6-7, 2024, Istanbul, Turkiye, pp. 1-6. doi: 10.1109/ISAS64331.2024.10845384

AbuseIPDB - making the internet safer, one IP at a time - AbuseIPDB LLC - abuseipdb.com. https://www.abuseipdb.com/ [Accessed January 28, 2025].

S. Torabi, A. Boukhtouta, C. Assi and M. Debbabi, "Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems," IEEE Communications Surveys & Tutorials, Volume 20, Issue 4, Fourthquarter 2018, pp. 3389 – 3415, June 2018. doi: 10.1109/COMST.2018.2849614

W. McKinney, Python for Data Analysis: Data Wrangling with pandas, NumPy, and Jupyter 3rd Edition. Sebastopol, USA: O'Reilly Media; 2022

openpyxl - A Python library to read/write Excel 2010 xlsx/xlsm files. https://openpyxl.readthedocs.io/en/stable/index.html# [Accessed January 28, 2025].

J. Whitington, Python from the Very Beginning: With 100 exercises and answers. ‎Cambridge, UK: Coherent Press, 2020

Downloads

Published

08.06.2025

Issue

Vol. 2 (2025): Environment. Technology. Resources. Proceedings of the 16th International Scientific and Practical Conference. Volume 2

Section

Information Technologies

License

Copyright (c) 2025 Georgi Markov, Borislav Nikolov

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
G. Markov and B. Nikolov, “DETECTION AND MITIGATION OF MALICIOUS ACTIVITIES BASED ON DNS QUERY ANALYSIS”, ETR, vol. 2, pp. 231–236, Jun. 2025, doi: 10.17770/etr2025vol2.8582.