Tutorial 3

Date/Time: Thursday, October 18th, 2012 9:00am - 12:00pm
Duration: 3 hours
Title: Large-Scale DNS Data Analysis

Presenter: David Dagon, Georgia Institute of Technology


DNS data is increasingly used in security analysis, intrusion detection, and research. Even small DNS collection systems can generate enormous amounts of DNS traffic, requiring tera-scale storage. As a result, researchers looking at DNS traffic must often develop real-time, in-line analysis tools.

This tutorial will offer pragmatic advice and examples of DNS data in network measurement, security analysis, and threat identification. The focus will be on tool creation and modification (e.g., creating re-usable frameworks for real-time analysis), rather than any individual research topic (e.g., machine learning, measurement, or botnet remediation).

Participants are assumed to have strong skills in C and Python programming, familiarity with large-scale 'NoSQL' storage systems, and some familiarity with DNS resolver configuration (e.g., BIND, Unbound). For portions of the tutorial, participants will interact with local systems deployed on a LAN, and so should bring a suitable notebook or system. Depending on external network conditions, experiments will be run on existing DNS information sharing systems such as SIE. To simplify network access and to speed up development exercises, participants will be given a virtual machine image. The tutorial is designed for FreeBSD and Debian systems, but participants are free to bring their own gear and adapt. Components of this tutorial include:

In short, this is a pragmatic, tools-oriented tutorial. It is designed for researchers interested in working with large-scale DNS data. While motivating examples focus on DNS abuse, security and botnets, the tools are of general use for those performing surveys, measurement, or other tasks involving tera-scale DNS data.


David Dagon is a researcher at Georgia Tech, focusing on DNS security, botnets, and malware. He has written extensively on numerous DNS-based security topics, including DNS poisoning, DNS forgery resistance, and vulnerabilities in resolver architectures. He is the creator of the DNS-0x20 protocol, a DNS security measure now in wide use by DNS resolvers on the Internet. He is the co-founder of Damballa, an Atlanta-based security company that leverages DNS intelligence to protect enterprises.

Last modified: 2012-09-06 11:52:26 EDT