Please wait a minute...
浙江大学学报(工学版)  2020, Vol. 54 Issue (12): 2423-2429    DOI: 10.3785/j.issn.1008-973X.2020.12.017
计算机与控制工程     
基于DNS流量的多层多域名检测与测量
张伊璇(),龚俭*()
东南大学 网络空间安全学院,江苏 南京 211100
Multi-layer domain name detection and measurement based on DNS traffic
Yi-xuan ZHANG(),Jian GONG*()
School of Cyber Science and Engineering, Southeast University, Nanjing 211100, China
 全文: PDF(828 KB)   HTML
摘要:

为了研究DNS流量中的域名角色,为域名影响力分析提供一种域名定位和筛选的思路,设计一种基于DNS流量的多层多域名检测算法. 在检测阶段,从CERNET主干网边界采集DNS流量,提取请求和应答序列. 基于多层多域名的聚合特征及解析的并发性,检测流量中存在的主从域名集合,并引入时间滑动窗口机制进行置信度测量. 在测量阶段,对算法检测结果从多个角度进行分析,包括多层多域名集合的规模和相交情况、主从域名的标签级数、集合中从域名对应的资源类型等,并提供了2个存在多层多域名的典型网站案例. 测量结果验证了多层多域名现象的存在以及多层多域名集合的特点,表明了此多层多域名检测算法的有效性.

关键词: 多层多域名网络测量域名监测网站    
Abstract:

A multi-layer domain name detection algorithm based on DNS traffic was designed to give a further study to the role of domain in DNS traffic and provide a method for domain’s influence analysis. In the detection stage, DNS traffic was collected from the boundary of the CERNET backbone, then request and response sequences were extracted. Based on the aggregation characteristic of multi-layer domain name and the concurrency of DNS resolution, the sets of parent-child domains in traffic were detected, and a time sliding window mechanism was introduced to measure the results' confidence. In the measurement stage, the detection results were analyzed from multiple perspectives, including the scale and intersection of multi-layer domain name sets, the number of tags of parent-child domain and the resource type of child domain in the set, etc. Then two cases of typical websites with multi-layer domain name were provided. The measurement results verified the existence and characteristics of multi-layer domain name and showed the effectiveness of the algorithm.

Key words: multi-layer domain name    network measurement    domain monitoring    website
收稿日期: 2019-09-29 出版日期: 2020-12-31
CLC:  TP 393  
基金资助: 国家重点研发计划资助项目(2018YFB1800202)
通讯作者: 龚俭     E-mail: yxzhang@njnet.edu.cn;jgong@njnet.edu.cn
作者简介: 张伊璇(1994—),女,硕士生,从事网络空间安全、网络测量研究. orcid.org/0000-0002-2877-2155. E-mail: yxzhang@njnet.edu.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
张伊璇
龚俭

引用本文:

张伊璇,龚俭. 基于DNS流量的多层多域名检测与测量[J]. 浙江大学学报(工学版), 2020, 54(12): 2423-2429.

Yi-xuan ZHANG,Jian GONG. Multi-layer domain name detection and measurement based on DNS traffic. Journal of ZheJiang University (Engineering Science), 2020, 54(12): 2423-2429.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2020.12.017        http://www.zjujournals.com/eng/CN/Y2020/V54/I12/2423

图 1  浏览器解析渲染页面的抽象流程
图 2  IPCIS域名信息数据库总体结构
单位 域名数量 IP数量 域名数量∶IP
东南大学 1 398 1 309 1.07∶1
江苏广播电视大学 17 061 61 280∶1
表 1  2个单位的域名及IP数量
图 3  域名聚合映射过程说明图
图 4  可信度验证区间分布
数量 不重复
域名数量
不重复二级
域名数量
请求客户
端数量
请求/应
答总量
DNS请求 4378 064 737 575 113 427 273 744 822
DNS应答 2071 320 465 652 ? 414 397 058
表 2  源数据统计分析
图 5  每日DNS请求及应答记录数量
从域名数量范围 网站数量分布/%
[3, 10] 44.4
[11, 20] 18.0
[21, 30] 9.0
>30 28.6
表 3  拥有不同数量从域名的网站数量分布
被网站引用数量 从域名数量分布/%
[1, 10] 65.6
[11, 20] 24.0
[21, 30] 5.0
>30 5.4
表 4  被不同数量网站引用的从域名数量分布
图 6  主从域名标签级数及比例(CDF)
图 7  含有相同二级域名的域名数量及比例(CDF)
二级域名 运营商 二级域名 运营商
akamai.net Akamai cdn20.com 网宿科技
wsglb0.com
wsglb0.com
aliyuncs.com 阿里云 qq.com 腾讯云
alibabadns.com
alikunlun.com
表 5  top 二级域名及其运营商
主域名 网站类型 资源从域名 资源类型
www.cctv.com 新闻
门户
p1.img.cctvpic.com JS,图片,CSS
js.player.cntv.cn JS
time.tv.cctv.com PHP
api.cntv.cn 接口
p.data.cctv.com JS,gif
www.iqiyi.com 视频
网站
stc.iqiyipic.com JS,图片,CSS
static.iqiyi.com JS,字体
hm.baidu.com JS,gif
表 6  典型多层多域名网站主从域名示例
1 CLABURN T. Google officially speeds up Web page loads [EB/OL]. (2012-10-11) [2019-09-29]. https://www.informationweek.com/web/google-officially-speeds-up-web-page-loads/d/d-id/1106818.
2 KING A B. Speed up your site: Web site optimization [M]. [S. l. ]: New Riders Pub, 2004: 46-48.
3 PATRICK N. Speed up slow Web pages with this simple trick [EB/OL]. (2017-04-03) [2019-09-29]. https://www.networkworld.com/article/3186976/speed-up-slow-web-pages-with-this-simple-trick.html.
4 秦臻. 基于内容发布网络(CDN)的域名解析系统[D]. 成都: 电子科技大学, 2012: 19-31.
QIN Zhen. Domain name resolution system based on content publishing network (CDN) [D]. Chengdu: University of Electronic science and technology of China, 2012: 19-31.
5 FU Cui-yu. Exploration of Web front-end development technology and optimization direction [C]// Proceedings of 2016 2nd International Conference on Electronics, Network and Computer Engineering. Paris: Atlantis Press, 2016: 168-171.
6 SAWANT O, GODSE S Web-Page complexity and optimization mechanism to reduce Web-Page load time[J]. International Journal of Computing and Technology, 2014, 1 (9): 444- 447
7 NETRAVALI R A. Understanding and improving Web page load times on modern networks [D]. Boston: MIT, 2014.
8 MUNYARADZI Z, MAXMILLAN G, AMANDA M N Effects of Web page contents on load time over the Internet[J]. Journal of Science and Research, 2013, 2 (9): 75- 79
9 郎君. 基于Chrome的网页加载延迟优化方法研究与实现[D]. 大连: 大连理工大学, 2017: 5-11.
LANG Jun. Research and implementation of Web page loading delay optimization technology based on Chrome [D]. Dalian: Dalian University of Technology, 2017: 5-11.
10 仲晓. 网页加载过程的监控与统计分析[D]. 北京: 北京邮电大学, 2013: 4-14.
ZHONG Xiao. Monitoring and statistical analysis of website loading process [D]. Beijing: Beijing University of Posts and Telecommunications, 2013: 4-14.
11 POMETTO A, CRUZ S. Mozilla embarks on noble mission to speed up the Web by bringing JPEG into the 21st century [EB/OL]. (2014-03-06) [2019-09-29]. https://www.extremetech.com/computing/178005-mozilla-embarks-on-noble-mission-to-speed-up-the-web-by-bringing-jpeg-into-the-21st-century.
12 TUOVINEN J, UOTILA T. Evaluation of page load performance of Web browser: 201213668391 [P]. 2015-03-17.
13 BELSHE M, PEON R. Reduction of Web page load time using HTTP header compression: 201113183048 [P]. 2015-12-01.
14 彭成维, 云晓春, 张永铮, 等 一种基于域名请求伴随关系的恶意域名检测方法[J]. 计算机研究与发展, 2019, 56 (6): 1263- 1274
PENG Cheng-wei, YUN Xiao-chun, ZHANG Yong-zheng, et al Detecting malicious domains using co-occurrence relation between DNS query[J]. Computer Research and Development, 2019, 56 (6): 1263- 1274
doi: 10.7544/issn1000-1239.2019.20180481
15 Google. Headless chromium [EB/OL]. (2018-06-12) [2019-09-29]. https://chromium.googlesource.com/chromium/src/+/lkgr/headless/README.md.
16 IKRAM M, MASOOD R, TYSON G, et al. The chain of implicit trust: an analysis of the Web third-party resources loading [EB/OL]. (2019-02-19) [2019-09-29]. http://arxiv.org/abs/1901.07699.
17 GAO H Y, YEGNESWARAN V, CHEN Y, et al An empirical reexamination of global DNS behavior[J]. ACM SIGCOMM Computer Communication Review, 2013, 43 (4): 267- 278
18 JAJODIA S, ZHOU J Y. Security and privacy in communication networks [M]. Berlin: Springer, 2010: 446-459.
19 LIU B J, LIU Z, ZONG P Y, et al. TraffickStop: detecting and measuring illicit traffic monetization through large-scale DNS analysis [C]// 2019 IEEE European Symposium on Security and Privacy. Piscataway: IEEE, 2019: 560-575.
[1] 陈荣华, 王鹰汉, 卜佳俊, 于智, 高斐. 基于KNN算法与局部回归的网站无障碍采样评估[J]. 浙江大学学报(工学版), 2018, 52(9): 1702-1708.
[2] 高斐, 陈荣华, 卜佳俊, 于智, 王鹰汉, 田甜. 基于节点拓扑特性的网站无障碍抽样方法[J]. 浙江大学学报(工学版), 2017, 51(10): 1891-1900.