Open DNS Resolver Activity in Campus Network System

We statistically investigated the total A-resource record (RR) based DNS query request packet traffic from the campus network system to the top domain DNS server in a university during January 1st to December 31st, 2014. The obtained results are: (1) we found significant query keyword based entropy changes in the total DNS query request traffic at February 5th, 2014. (2) In the total A-RR based DNS query request packet traffic, we observed 73-90% of unique random query keywords including eleven source IP addresses like a Kaminsky-like random query (KLRQ) attack. (3) Also, we found that the source IP addresses were assigned to the home/broadband routers in campus laboratories, as open DNS resolvers. (4) Also, we calculated frequency distribution of the Levenshtein distance between the DNS query keywords and the peaks that were observed at 10-15 per day. Therefore, we can conclude that the Levenshtein distance model is useful for developing a detection model of open DNS resolvers.