Document Type
Conference Paper
Publication Date
2023
DOI
10.1145/3618257.3624805
Publication Title
Proceedings of the 2023 ACM on Internet Measurement Conference
Pages
198-212
Conference Name
ICM '23: ACM Internet Measurement Conference, October 24-26, 2023, Montreal, Quebec, Canada
Abstract
Non-Existent Domain (NXDomain) is one type of the Domain Name System (DNS) error responses, indicating that the queried domain name does not exist and cannot be resolved. Unfortunately, little research has focused on understanding why and how NXDomain responses are generated, utilized, and exploited. In this paper, we conduct the first comprehensive and systematic study on NXDomain by investigating its scale, origin, and security implications. Utilizing a large-scale passive DNS database, we identify 146,363,745,785 NXDomains queried by DNS users between 2014 and 2022. Within these 146 billion NXDomains, 91 million of them hold historic WHOIS records, of which 5.3 million are identified as malicious domains including about 2.4 million blocklisted domains, 2.8 million DGA (Domain Generation Algorithms) based domains, and 90 thousand squatting domains targeting popular domains. To gain more insights into the usage patterns and security risks of NXDomains, we register 19 carefully selected NXDomains in the DNS database, each of which received more than ten thousand DNS queries per month. We then deploy a honeypot for our registered domains and collect 5,925,311 incoming queries for 6 months, from which we discover that 5,186,858 and 505,238 queries are generated from automated processes and web crawlers, respectively. Finally, we perform extensive traffic analysis on our collected data and reveal that NXDomains can be misused for various purposes, including botnet takeover, malicious file injection, and residue trust exploitation.
Rights
© 2023 the Owner/Authors.
This work is licensed under a Creative Commons Attribution 4.0 International License.
Original Publication Citation
Liu, G., Jin, L., Hao, S., Zhang, Y., Liu, D., Stavrou, A., & Wang, H. (2023). Dial "N" for NXDomain: The scale, origin, and security implications of DNS queries to non-existent domains. In Proceedings of the 2023 ACM on Internet Measurement Conference (pp. 198-212). Association for Computing Machinery. https://doi.org/10.1145/3618257.3624805
Repository Citation
Liu, G., Jin, L., Hao, S., Zhang, Y., Liu, D., Stavrou, A., & Wang, H. (2023). Dial "N" for NXDomain: The scale, origin, and security implications of DNS queries to non-existent domains. In Proceedings of the 2023 ACM on Internet Measurement Conference (pp. 198-212). Association for Computing Machinery. https://doi.org/10.1145/3618257.3624805
ORCID
0000-0001-7483-5252 (Hao)