Detection of DNS Traffic Anomalies in Large Networks
|Year of publication
|Article in Proceedings
|Advances in Communication Networking, Lecture Notes in Computer Science, Vol. 8846
|MU Faculty or unit
|domain name system; DNS; IP flow monitoring; IPFIX; traffic anomaly detection; internet measurements
|Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.