Analysis of via-resolver DNS TXT queries and detection possibility of botnet communications

Abstract

Botnet involves various communication protocols and according to recent reports DNS TXT record has been used for botnet communications. However, we have never statistically analyzed the usage of DNS TXT record and the signatures of its malicious usage, thus, it is difficult to block out the malicious usage only. In this paper, we analyze the usage of the DNS TXT record and present statistical results obtained from more than 5 million real DNS TXT record queries with responses captured in our campus network for over 3 months. As a result, we filtered out 2,293 “Unconfirmed” usages of DNS TXT record queries and checked the queried domain name and the destination IP address in detail. Finally, we confirmed that it is effective to check the unknown usage of DNS TXT queries for detecting botnet communication.