A Message-Based Malicious Detection Scheme of Public DNS Services.

The open resolver, which is an important component in the DNS system, can provide resolution services for the public. It is widely accepted that the public resolution service they use is safe. But in fact, this trust in resolution services is extremely blind and unreliable. Malicious open resolvers on the Internet tamper with user requests and direct users' normal DNS requests to the wrong destination. Therefore, it is necessary to discover these malicious attacks for Internet users as soon as possible. The traditional response strategy is to use a blacklist, which is simple to implement while cannot be exhaustive. Simultaneously, it cannot be applied to the dynamic situation in which the address of the malicious open resolver changes under actual network conditions. In this paper, by analyzing the correlations between DNS messages and public resolution, we propose features for malicious behavior detection. Furthermore, we design a malicious open resolver detection method based on random forest. To the best of our knowledge, our work conducts the first study to counter malicious open resolvers in this field. Experiment results demonstrate the ability to detect malicious open resolvers qualitatively. By using the features based on DNS messages, our detection method has a true positive rate of 99.53% and a low false positive rate of 0.87%, which verifies the effectiveness of our method.