Eyedns: Monitoring A University Campus Network

The Domain Name System (DNS) is responsible for mapping human readable domain names to internet protocol (IP) addresses. DNS is a ubiquitous part of internet and intranet communication, making it a convenient and comprehensive source for data to infer network health, performance, and security. A victim of its own success, monitoring real-time DNS traffic is a challenge due to sheer volume: huge amounts of DNS packets flow through a typical enterprise in a single day. In this paper, we describe eyeDNS, a scalable and extensible system for near real-time aggregation, storage, analysis, and visualization of DNS traffic collected by a hardware back-end. We report on eyeDNS's deployment and data collection on a large public university's network over a timeframe of 15 months. Moreover, we leveraged data from the following 6 months to validate findings made during the initial timeframe. With fast query response, aggregation, and visualization of DNS data, eyeDNS helped identify instances of anomalous network use, malware-specific behaviors, and scamming activities. eyeDNS is currently being used by the university's security personnel and has demonstrated its effectiveness in extracting trends and outliers from large volumes of DNS data collected from a diverse environment, where even commercial tools struggle to provide timely and actionable analysis.