SFCSD: A Self-Feedback Correction System for DNS Based on Active and Passive Measurement

TL;DR

This paper introduces SFCSD, a system that automatically corrects DNS records by combining passive traffic analysis and active verification, significantly improving DNS accuracy and security.

Contribution

The paper presents a novel self-feedback correction system for DNS that integrates passive and active measurements to enhance DNS record accuracy.

Findings

Achieves 94.3% precision and 93.07% recall in DNS correction.

Processes nearly 1000 domain-IP pairs daily at 8Gbps speed.

Effectively corrects approximately 200 DNS records per day.

Abstract

Domain Name System (DNS), one of the important infrastructure in the Internet, was vulnerable to attacks, for the DNS designer didn't take security issues into consideration at the beginning. The defects of DNS may lead to users' failure of access to the websites, what's worse, users might suffer a huge economic loss. In order to correct the DNS wrong resource records, we propose a Self-Feedback Correction System for DNS (SFCSD), which can find and track a large number of common websites' domain name and IP address correct correspondences to provide users with a real-time auto-updated correct (IP, Domain) binary tuple list. By matching specific strings with SSL, DNS and HTTP traffic passively, filtering with the CDN CNAME and non-homepage URL feature strings, verifying with webpage fingerprint algorithm, SFCSD obtains a large number of highly possibly correct IP addresses to make an active manual correction in the end. Its self-feedback mechanism can expand search range and improve performance. Experiments show that, SFCSD can achieve 94.3% precision and 93.07% recall rate with the optimal threshold selection in the test dataset. It has 8Gbps processing speed stand-alone to find almost 1000 possibly correct (IP, Domain) per day for the each specific string and to correct almost 200.