Identifying malevolent DNS servers

Supervisor(s)Sebastian Luhn, MSc


The Domain Name System (DNS) is a basic functionality of the web, needed to translate host names into accessible IP addresses. The main protection goal of this system has always been availabilty, with less focus on integrity (although that will be covered by DNSSEC) and confidentiality. To target integrity, some malware reassigns a computer’s standard DNS server to one of the adversary’s choice, usually to lead the user to fraudulent websites instead of the ones she requested.

In this thesis, possibilities to indentify malevolent DNS servers under the assumption of Kerckhoffs’ principle shall be examined. I.e., depending on the technique used for identification, the DNS server could anticipate those attempts and behave in an innocuous way. This possibility, again, should be anticipated on the identifier’s side to prevent such obfuscating attempts.


  • Dagon, D., Lee, C., Lee, W., and Provos, N. Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In Proceedings of the 15th Network and Distributed System Security Symposium (NDSS). San Diego, CA, 2008.