1. Field
This field is generally related to network security, and more specifically collecting and processing Domain Name System (DNS) records.
2. Related Art
A communication network may, for example, allow data to be transferred between two geographically remote locations. To transmit data over a network, the data is often divided into pieces, known as packets or blocks. Each packet or block may have a destination network address, such as an IP address, that indicates a destination of the packet and intermediate forwarding devices where the packet should be routed. These addresses are often numerical, difficult to remember, and may frequently change.
To identify a destination, domain names are frequently used. Domain names identify a destination host, or server, and may map to a corresponding network address. For example, the domain name www.example.com may map to the network address 93.184.216.119. To map the domain names to the network addresses, a domain name system (DNS) may be used. DNS may divide the namespace into a hierarchy with different organizations controlling different portions of the hierarchy. In different portions of the hierarchy, different name servers may store resource records that map domain names to network addresses.
To look up a network address from a domain name, DNS may use resolvers that execute a sequence of queries to different name servers. For example, the sequence of queries to resolve www.example.com may start at the root name server, which indicates the address of the name server for .com. Then, the DNS resolver may query the name server for .com for the address of the name server for example.com. Then, the DNS resolver may query the name server for example.com for the address of www.example.com. In practice, so that a resolver does not need to go through the entire sequence for each request, the resolver may cache the addresses of the various name servers.
Many new domains are registered every day. But not all domains are registered for legitimate purposes. Some domains are registered for malicious purposes. One malicious purpose is to bring down a network service. These may be called denial of service attacks. One example of a denial of service attack is Transport Control Protocol (TCP) SYN flood abuse.
Other network abuses may not be trying to bring down a service, but may instead be making network requests, including application-level requests, for other improper purposes. In these abuses, an automated system may be making application requests that, for example, set up fake user accounts and try to entice a user to devolve confidential information, such as her password, credit card information, or Social Security number, or run other scams. Domains may be registered to support these abuses as well as other types of network abuses including malware, phishing, or spam.
To protect against network abuses, network administrators can configure DNS resolvers to block or redirect lookups to domain names believed to be malicious. For example, Domain Name Service Response Policy Zones (DNS RPZ) provide a mechanism to block or redirect specified domain name lookups.
In these network abuses, the attackers often use their domain names shortly after registration and for a short period of time. In contrast, legitimate web services may not use their domains so soon after registration and continue to use their domains for a long period of time. Hence, newly observed domains (NOD), for example those that have been registered within a particular period of time, e.g. the last 5 minutes, 1 hour, 12 hours or even 24 hours, may be identified as potentially malicious. Services are available to provide these newly observed domains to DNS resolvers to block domain name lookups for that period of time. But tracking newly observed domains on a large scale can be computationally intensive.
Systems and methods are needed to more efficiently detect newly observed domains.