Fast and Accurate Identification of Active Recursive Domain Name Servers in High-speed Network

Fast and accurate identification of active recursive domain name servers (RDNS) is a fundamental step to evaluate security risk degrees of DNS systems. Much identification work have been proposed based on network traffic measurement technology. Even though identifying RDNS accurately, they waste huge network resources, and fail to obtain host activity and distinguish between direct and indirect RDNS. In this paper, we proposed an approach to identify direct and forward RDNS based on our three key insights on their request-response behaviors, and proposed an approach to identify indirect RDNS based on CNAME redirect behaviors. To work in high-speed backbone networks, we further proposed an online connectivity estimation algorithm to obtain estimated values used in our identification approaches. According to our experiments, we can identify RDNS with a high accuracy by selecting the reasonable thresholds. The accuracy of identifying direct and forward RDNS can reach 89%.The accuracy of identifying indirect RDNS can reach 90%.Moreover, our work is capable of real-time analyzing high speed backbone traffics.