Towards Active Measurement for DNS Query Behavior of Botnets
Domain names play an increasingly important role for the botnet activities. Traditionally, DNS traces from several local DNS servers are used passively to measure the DNS query behavior. However, since botnets are a wide-scale threat and usually reside in geographically dispersed networks, the vantage point of several local DNS servers is sometimes too small to help the users understand the DNS query behavior (e.g., whether queried or not, average query rate) of botnets. In this paper, the authors actively measure the DNS query behavior of botnets in geographically dispersed networks via the DNS cache probing technique. They first analytically characterize how multiple domain names are queried by botnets in different networks under certain circumstances.