The Domain Name System (DNS) distributes the mapping of hostnames of hosts on the Internet to IP (Internet Protocol) addresses automatically online through recursive queries to remote databases configured for each network, or domain. Dynamic DNS is a method of automatically updating a name server in the DNS by dynamically assigning IP addresses to computers automatically as they power up.
Malware is often executed and analyzed in a sandbox environment by threat intelligence researchers. The output from these sandbox executions contains network traffic analysis such as domains resolved and IP addresses contacted during the sandbox execution. As part of the analysis, the threat intelligence researcher must often resolve a large number of domain names, requiring frequent access to the Dynamic DNS system. The Dynamic DNS system, however, includes protection mechanisms that perform IP blocking of DNS resolution requests by the DNS servers if certain access criteria are present.
A need therefore exists for improved techniques for automated classification of domain names resolved by malware.