In computer networking, domain names help identifying locations where certain information or service can be located on a public or private network. Domain names are typically formed according to rules and procedures of the DNS. Domain names can be used for various naming and addressing purposes. In general, a domain name can be resolved to an Internet Protocol (IP) resource, such as a personal computer, a server hosting website pages, or a website page or service. Thus, the DNS allows translating domain names (such as “www.example.com”) into the corresponding IP address (such as “123.4.56.78”) needed to establish Transmission Control Protocol/Internet Protocol (TCP/IP) communication over the Internet.
Traditionally, DNS servers resolve (i.e., translate to IP addresses) domain names upon receiving DNS queries associated with domain names. When a DNS server receives a query from a client, the DNS server checks if it can answer the DNS query authoritatively based on local information of the DNS server. If the queried domain name matches a corresponding resource record in a local cache, the DNS server can answer authoritatively. If no local record exists for the queried domain name, the DNS server can check if it can resolve the domain name using locally cached information from historical data. If a match is found, the DNS server answers based on the historical data. If the queried domain name does not find a matched answer at the DNS server level, the query can process can continue with assistance from other DNS servers.
It is common for DNS queries to be generated upon a user simply opening a web browser and making a request to open a certain website page. Those types of DNS queries are human-driven DNS queries. However, there also exist DNS queries generated by machines, hardware or software applications. For example, DNS queries can be generated upon a user opening a particular software application, such as a mobile application, and making certain requests that cause the software application address certain network resources or web services using, for example, Application Programming Interface (API) functions. In another example, one networked device, such as a first server, can address another networked device, such as a second server, using DNS queries. Thus, this second type of queries relates to M2M DNS queries.
In the Internet traffic analytics industry, it can be an important task to distinguish human-driven DNS queries from M2M DNS queries. For example, determining human behavior when they search or browse information on the Internet can be relevant for content delivery, advertisement, and security purposes. On the other hand, analyzing M2M DNS queries without human-driven DNS queries can be helpful in detecting malicious activities. Thus, methods and systems for distinguishing human-driven DNS queries from M2M DNS queries are needed.