You are here: Home Contents V7 N2 V7N2_Born.html
Personal tools

Detecting and Visualizing Domain-Based DNS Tunnels Through N-Gram Frequency Analysis



Full text

Journal of Information System Security
Volume 7, Number 2 (2011)
Pages 2748
ISSN 1551-0123
Kenton Born — Kansas State University, USA
David A. Gustafson — Kansas State University, USA
Information Institute Publishing, Washington DC, USA




High-bandwidth covert channels pose significant risks to sensitive and proprietary information inside company networks. Domain Name System (DNS) tunnels provide a means to covertly infiltrate and exfiltrate large amounts of information past network boundaries. This paper explores the possibility of detecting DNS tunnels by analyzing the unigram, bigram, and trigram character frequencies of domains in DNS queries and responses. It is empirically shown how domains follow Zipf's law in a similar pattern to natural languages, whereas tunneled traffic has discovered when tunneled traffic is compared to the character frequency fingerprint of legitimate domain traffic.

A tool called NgViz is developed that examines DNS traffic and shows anomalies in n-gram frequencies of domains found in query and response resource records. This is accomplished by comparing input files against a fingerprint of legitimate traffic. Both quantitative analysis and visual aids are provided that allow the user to make determinations about the legitimacy of the DNS traffic.




DNS, Character Frequency Analysis, Visualization, Anomaly Detection, Network Traffic Analysis, Covert Communication




Borders, K. And Prakash, A (2004), "Web tap: detecting covert web traffic," In CCS'04: Proceedings of the 11th ACM conference on Computer and communications security, New York, NY. ACM Press, 110-120.

Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L. (2007), “Detecting HTTP Tunnels with Statistical Mechanisms", IEEE International Conference on Communications (ICC) ‘07, 6162-6168.

Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L. (2008), "Detection of Encrypted Tunnels across Network Boundaries," in Proceedings of the 43rd IEEE International Conference on Communications (ICC 2008), May 19-23, Beijing, China.

Dembour, O. (2008), 'Dns2tcp', Nov 2008.

'Dnstop',, 2009.

'Dsc',, 2009.

Dusi, M., Gringoli, F., Salgarelli, L. (2008), "A Preliminary Look at the Privacy of SSH Tunnels," in Proceedings of the 17th IEEE International Conference on Computer Communications and Networks (ICCN 2008), Aug. 2008. St. Thomas, U.S. Virgin Islands.

Hind, Jarod, (2009), Catching DNS Tunnels with A.I., Proceedings of DefCon 17, July 29-Aug 2. Las Vegas, Nevada. 'Iodine', June 2009.

Orebaugh, Angela (2006), “An Instance Messaging Intrusion Detection System Framework: Using character frequency analysis for authorship identification and validation,” Proceedings 2006 40th Annual IEEE International, Oct, 160-172.

Plonka, D., and Barford, P. (2008), Context-aware clustering of dns query traffic, Proceedings of the 8th ACM SIGCOMM Internet Measurement Conference (IMC'08), Oct 20-22, Vouliagmeni, Greece.

Mockapetris, P. (1987), 'RFC1035 - Domain names - implementation and specification',, November 1987.

'Relative frequencies of letters',, 2009.

Ren, P., Kristoff, J., Gooch, Bruce (2006), 'Visualizing DNS traffic'. Proceedings of the 3rd international workshop on Visualization for computer security, Oct 30-Nov 03, 2006, Alexandria, VA.

Shannon, Claude E. (1951), "Prediction and entropy of printed English," The Bell System Technical Journal, 30:50-64.

'TCP-over-DNS tunnel software HOWTO', July 2008.

'Top Sites',, Nov 2009.

Zipf, G (1932), "Selective Studies and the Principle of Relative Frequency in Language," Cambridge, Ma

'Zipf's Law',, Aug 2009.