Please wait a minute...
Journal of ZheJiang University (Engineering Science)  2020, Vol. 54 Issue (12): 2423-2429    DOI: 10.3785/j.issn.1008-973X.2020.12.017
Multi-layer domain name detection and measurement based on DNS traffic
Yi-xuan ZHANG(),Jian GONG*()
School of Cyber Science and Engineering, Southeast University, Nanjing 211100, China
Download: HTML     PDF(828KB) HTML
Export: BibTeX | EndNote (RIS)      


A multi-layer domain name detection algorithm based on DNS traffic was designed to give a further study to the role of domain in DNS traffic and provide a method for domain’s influence analysis. In the detection stage, DNS traffic was collected from the boundary of the CERNET backbone, then request and response sequences were extracted. Based on the aggregation characteristic of multi-layer domain name and the concurrency of DNS resolution, the sets of parent-child domains in traffic were detected, and a time sliding window mechanism was introduced to measure the results' confidence. In the measurement stage, the detection results were analyzed from multiple perspectives, including the scale and intersection of multi-layer domain name sets, the number of tags of parent-child domain and the resource type of child domain in the set, etc. Then two cases of typical websites with multi-layer domain name were provided. The measurement results verified the existence and characteristics of multi-layer domain name and showed the effectiveness of the algorithm.

Key wordsmulti-layer domain name      network measurement      domain monitoring      website     
Received: 29 September 2019      Published: 31 December 2020
CLC:  TP 393  
Corresponding Authors: Jian GONG     E-mail:;
Cite this article:

Yi-xuan ZHANG,Jian GONG. Multi-layer domain name detection and measurement based on DNS traffic. Journal of ZheJiang University (Engineering Science), 2020, 54(12): 2423-2429.

URL:     OR


为了研究DNS流量中的域名角色,为域名影响力分析提供一种域名定位和筛选的思路,设计一种基于DNS流量的多层多域名检测算法. 在检测阶段,从CERNET主干网边界采集DNS流量,提取请求和应答序列. 基于多层多域名的聚合特征及解析的并发性,检测流量中存在的主从域名集合,并引入时间滑动窗口机制进行置信度测量. 在测量阶段,对算法检测结果从多个角度进行分析,包括多层多域名集合的规模和相交情况、主从域名的标签级数、集合中从域名对应的资源类型等,并提供了2个存在多层多域名的典型网站案例. 测量结果验证了多层多域名现象的存在以及多层多域名集合的特点,表明了此多层多域名检测算法的有效性.

关键词: 多层多域名,  网络测量,  域名监测,  网站 
Fig.1 Abstract process of rendering Web page
Fig.2 Architecture of IPCIS domain database
单位 域名数量 IP数量 域名数量∶IP
东南大学 1 398 1 309 1.07∶1
江苏广播电视大学 17 061 61 280∶1
Tab.1 Counts of domain and IP attributed to two units
Fig.3 Domain aggregation mapping process
Fig.4 Distribution of reliability test
数量 不重复
DNS请求 4378 064 737 575 113 427 273 744 822
DNS应答 2071 320 465 652 ? 414 397 058
Tab.2 Statistical analysis of raw data
Fig.5 Counts of DNS request and response per day
从域名数量范围 网站数量分布/%
[3, 10] 44.4
[11, 20] 18.0
[21, 30] 9.0
>30 28.6
Tab.3 Distribution of websites with different numbers of child domains
被网站引用数量 从域名数量分布/%
[1, 10] 65.6
[11, 20] 24.0
[21, 30] 5.0
>30 5.4
Tab.4 Distribution of child domains referenced by different numbers of websites
Fig.6 Ratio of number of tags of parent-child domain (CDF)
Fig.7 Ratio of number of domain with the same second level domain (CDF)
二级域名 运营商 二级域名 运营商 Akamai 网宿科技 阿里云 腾讯云
Tab.5 Top second level domain and operator
主域名 网站类型 资源从域名 资源类型 新闻
门户 JS,图片,CSS JS PHP 接口 JS,gif 视频
网站 JS,图片,CSS JS,字体 JS,gif
Tab.6 Typical websites with multi-layer domain name
[1]   CLABURN T. Google officially speeds up Web page loads [EB/OL]. (2012-10-11) [2019-09-29].
[2]   KING A B. Speed up your site: Web site optimization [M]. [S. l. ]: New Riders Pub, 2004: 46-48.
[3]   PATRICK N. Speed up slow Web pages with this simple trick [EB/OL]. (2017-04-03) [2019-09-29].
[4]   秦臻. 基于内容发布网络(CDN)的域名解析系统[D]. 成都: 电子科技大学, 2012: 19-31.
QIN Zhen. Domain name resolution system based on content publishing network (CDN) [D]. Chengdu: University of Electronic science and technology of China, 2012: 19-31.
[5]   FU Cui-yu. Exploration of Web front-end development technology and optimization direction [C]// Proceedings of 2016 2nd International Conference on Electronics, Network and Computer Engineering. Paris: Atlantis Press, 2016: 168-171.
[6]   SAWANT O, GODSE S Web-Page complexity and optimization mechanism to reduce Web-Page load time[J]. International Journal of Computing and Technology, 2014, 1 (9): 444- 447
[7]   NETRAVALI R A. Understanding and improving Web page load times on modern networks [D]. Boston: MIT, 2014.
[8]   MUNYARADZI Z, MAXMILLAN G, AMANDA M N Effects of Web page contents on load time over the Internet[J]. Journal of Science and Research, 2013, 2 (9): 75- 79
[9]   郎君. 基于Chrome的网页加载延迟优化方法研究与实现[D]. 大连: 大连理工大学, 2017: 5-11.
LANG Jun. Research and implementation of Web page loading delay optimization technology based on Chrome [D]. Dalian: Dalian University of Technology, 2017: 5-11.
[10]   仲晓. 网页加载过程的监控与统计分析[D]. 北京: 北京邮电大学, 2013: 4-14.
ZHONG Xiao. Monitoring and statistical analysis of website loading process [D]. Beijing: Beijing University of Posts and Telecommunications, 2013: 4-14.
[11]   POMETTO A, CRUZ S. Mozilla embarks on noble mission to speed up the Web by bringing JPEG into the 21st century [EB/OL]. (2014-03-06) [2019-09-29].
[12]   TUOVINEN J, UOTILA T. Evaluation of page load performance of Web browser: 201213668391 [P]. 2015-03-17.
[13]   BELSHE M, PEON R. Reduction of Web page load time using HTTP header compression: 201113183048 [P]. 2015-12-01.
[14]   彭成维, 云晓春, 张永铮, 等 一种基于域名请求伴随关系的恶意域名检测方法[J]. 计算机研究与发展, 2019, 56 (6): 1263- 1274
PENG Cheng-wei, YUN Xiao-chun, ZHANG Yong-zheng, et al Detecting malicious domains using co-occurrence relation between DNS query[J]. Computer Research and Development, 2019, 56 (6): 1263- 1274
doi: 10.7544/issn1000-1239.2019.20180481
[15]   Google. Headless chromium [EB/OL]. (2018-06-12) [2019-09-29].
[16]   IKRAM M, MASOOD R, TYSON G, et al. The chain of implicit trust: an analysis of the Web third-party resources loading [EB/OL]. (2019-02-19) [2019-09-29].
[17]   GAO H Y, YEGNESWARAN V, CHEN Y, et al An empirical reexamination of global DNS behavior[J]. ACM SIGCOMM Computer Communication Review, 2013, 43 (4): 267- 278
[18]   JAJODIA S, ZHOU J Y. Security and privacy in communication networks [M]. Berlin: Springer, 2010: 446-459.
[19]   LIU B J, LIU Z, ZONG P Y, et al. TraffickStop: detecting and measuring illicit traffic monetization through large-scale DNS analysis [C]// 2019 IEEE European Symposium on Security and Privacy. Piscataway: IEEE, 2019: 560-575.
[1] CHEN Rong-hua, WANG Ying-han, BU Jia-jun, YU Zhi, GAO Fei. Website accessibility sampling evaluation based on KNN and local regression[J]. Journal of ZheJiang University (Engineering Science), 2018, 52(9): 1702-1708.