Cache Periscope: Gain insights into the global epidemic of malicious domains through DNS Cache

Domain names are often abused for various harmful and illegal activities. To mitigate these threats, security practitioners have proposed detecting malicious domains based on features such as domain name resolution data, semantic attributes, website appearance, and website correlations. Although these techniques have achieved notable results, they remain relatively passive in countering malicious activities. In this paper, we present a large-scale measurement study of the global epidemic of malicious domain names on open resolvers using cache probing techniques. We propose a modified probing method designed for large-scale domain access estimation. Leveraging this method, we examine the access patterns of malicious domains under open resolvers, which are widely deployed and utilized across the Internet, aiming to map the distribution of malicious activities based on the geographic location of open resolvers. Additionally, to the best of our knowledge, we are the first to propose using domain name top lists to estimate the volume of resolver users, which reflects the potential influence of a resolver. The weights of the estimated user volumes are further validated by real DNS traffic. By integrating these two methods, we evaluate the potential impact of malicious domains and conduct extensive measurements and analyses of malicious domain activities on open resolvers worldwide. Our findings reveal the regional distribution of malicious campaigns and provide insights into the global epidemic of malicious domains. Our measurement results demonstrate that practitioners can actively collect threat intelligence using the proposed techniques, gain insights into the current Internet threats, and implement more proactive measures to combat malicious campaigns.