An Internet-Wide View into DNS Lookup Patterns

This paper analyzes the DNS lookup patterns from a large authoritative top-level domain server and characterizes how the lookup patterns for unscrupulous domains may differ from those for legitimate domains. We examine domains for phishing attacks and spam and malware related domains, and see how these lookup patterns vary in terms of both their temporal and spatial characteristics. We find that malicious domains tend to exhibit more variance in the networks that look up these domains, and we also find that these domains become popular considerably more quickly after their initial registration time. We also note that miscreant domains exhibit distinct clusters, in terms to the networks that look up these domains. The distinct spatial and temporal characteristics of these domains, and their tendency to exhibit similar lookup behavior, suggests that it may be possible to ultimately develop more effective blacklisting techniques based on these differing lookup patterns.