9
DNS ANY Request Cannon Activity in DNS Query Packet Traffic
Authors: Yuto Takeda, Yasuo Musashi, Kenichi Sugitani, Toshiyuki Moriyama
Number of views: 505
We statistically investigated the total ANY resource record (RR) based DNS query request packet traffic
from the Internet to the top domain DNS server in a university campus network from January 1st, 2011 to December
31st, 2012. The obtained results are: (1) we found a significant increase in the inbound ANY RR based DNS query
request traffic at November 28th, 2011. (2) In the DNS query request packet traffic, we observed only a query
keyword of the campus domain name. (3) We found a correlation between the total inbound DNS query request
packet traffic and the DNS query request packet traffic including the query keyword. (4) We also carried out the
loading test sending ANY, A, and PTR RRs based unique DNS queries to a test DNS server, however, we observed
no difference among the vmstat parameters based on the queries, and the load value was only 0.10-0.20. These
results indicate that the ANY RR based DNS request packet traffic is quite strange. Therefore, we should pay much
attention to the ANY RR based DNS query request traffic including the single domain name.