• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

On the trail of malicious dynamic DNS domains

By Dhia Mahjoub
Posted on April 15, 2013
Updated on August 3, 2020

Share

FacebookTweetLinkedIn

Dynamic DNS is a useful technology that allows a domain name to point to Internet resources hosted on changing public IP addresses. Consider an individual or small business with a dynamic IP who needs to provide consistent content or services publicly advertised to the outside world via a domain name (e.g. website, FTP server, mail server, game room, webcam monitoring, etc). That’s where dynamic DNS helps out. Typically, these customers use the IP assigned to them by their ISP, and every time their IP changes, they notify their dynamic DNS provider to update its name servers so that the customer’s domain points now to the new IP. The notification happens through a client software installed on the customer’s router/computer or via an HTTP restful API. One such client software is DNSOMATIC by OpenDNS.

Unfortunately, the convenience of dynamic DNS did not go unnoticed by miscreants, who have been abusing free, dynamic DNS to perform various attacks such as large-scale malvertising, and targeted spear-phishing, which both resulted in drive-by downloads, and use it for botnet C&C. For attackers, using dynamic DNS constitutes another agile evasion technique against IP blocklisting. It also allows them to deliver malicious payloads from constantly-changing hosting IPs, be it infected individuals’ computers or compromised public websites. To circumvent domain blocklisting, attackers can also use randomly-generated disposable subdomains under the dynamic DNS domain to point to the next hop in a redirection chain or to the final malware hosting IP. This seems similar to fast flux, although from a definition standpoint they are different. For dynamic DNS, the dynamic IP is supposed to fall in the IP range of the ISP (1 or a few ASNs), whereas, with fast flux, a domain will be pointing to an increasing number of different IPs scattered across numerous ASNs and multiple geographical locations. Additionally, for dynamic DNS, the authoritative name servers for a dynamic DNS domain physically belong to the dynamic DNS provider, whereas with fast flux, double fluxing is possible where the name servers can be made point to constantly changing IPs of physical hosts located in disparate ASNs and countries.  In practice, dynamic DNS domains map to a much smaller set of IPs than fast flux.

In this blog, we discuss the relationship between dynamic DNS domains and malware as we see it through mining our large DNS data sets. This can also give some perspective on how to address the problem of rogue dynamic DNS domains.

Dynamic DNS analysis

There are plenty of dynamic DNS providers, both free and for a cost. One good list of them is available here.

Dynamic DNS providers offer users to either register domains (2LDs), or subdomains (3LDs) under a predefined set of domains (2LDs). For instance, changeIP.com has a list of 155 domains, under which a user can freely register any subdomain of his choice (if it is available). For example, they have 1dumb.com and 2waky.com as pre-registered domains, and a user can register the hostnames johndoe.1dumb.com or myhomebusiness.2waky.com. changeIP also offers to users to register a domain under the following TLDs .com, .net, .info, .org, .biz, or .us. This latter choice requires an annual registration fee though. Similar offers are available from other providers like no-ip.com, afraid.org, Dyn.com (formerly known as DynDNS), etc. The common practice for attackers is to abuse the free subdomains.

For this study, we are interested in evaluating the amount of dynamic DNS domains we see in our daily authoritative DNS traffic and the percentage of malicious domains within, and also find out which subdomains are the most frequently abused.

First, we collect a sample of known malicious dynamic DNS domains, then, we compile a list of known pre-registered domains offered by a few dynamic DNS providers. For the malicious sample, the dynamic DNS providers that are mostly used are sitelutions.com, noip.com, changeip.com, and dnsdynamic.org. For the general list, we select known dynamic DNS providers such as: changeip.com, dnsdynamic.org, noip.com, freedns.afraid.org, dyndns.com, sitelutions.com, and 3322.org. These samples are not exhaustive as there are a lot more dynamic DNS providers (and more of them are abused). Some dynamic DNS providers are not limited to offering dynamic DNS services and act also as regular domain registrars, so a domain registered with a dynamic DNS provider and using its name servers might not necessarily be using the dynamic DNS service. We think, however, that these samples are representative enough for the sake of the analysis.

Next, we resolve the NS (name servers) of all domains in both samples. This list of name servers will be used to filter out the daily logs to identify domains using dynamic DNS. The logic here is that if we already know about a set of dynamic DNS domains, we can identify their name servers, and any new domain that uses these latter name servers will be assumed to be a dynamic DNS domain. The name servers from the general list give a trend on the percentage of total dynamic DNS domains in daily traffic, whereas, the name servers from the malicious sample provide an idea on the dynamic DNS traffic most likely to be malicious. The name servers associated with the sample of malicious dynamic DNS domains are: ns[1-3].changeip.org, ns[1-5].changeip.com, ns[1,2].dnsdynamic.org, nf[1-5].no-ip.com, and ns[1-5].sitelutions.com.

In the next step, we collect sample authoritative DNS logs from three resolvers in London, Ashburn and Singapore, where we have for every domain, its associated authoritative name server(s). For each day, we collect a sample of  1,518,782 domains on average with their name servers data. We collect logs for a week, then for each day, we identify those domains whose name servers fall within the list of name servers of dynamic DNS providers.

Finally, we compare the identified dynamic DNS domains against our blocklist (which is constantly updated with new data), and we show the results in the figures below. For the sake of this discussion, we call sortecielo.2waky.com a hostname, or subdomain or 3LD and 2waky.com a domain or 2LD. We can see in the figures, that there are 30,000+ dynamic DNS hostnames (3LDs) observed daily in the sample authoritative DNS traffic, and 3000+  corresponding domains (2LDs). For the same period, out of the same daily domain sets, we identify 1400+ malicious hostnames, and 200+ associated domains every day. This gives an idea about the density of the associations between a domain and its “children” subdomains.

Top abused dynamic DNS domains

In the following tables, we show the top 20 domains observed in daily traffic over a week as well as the top 20 domains used for malicious purposes over the same period. The counts next to the domain represent the number of hostnames under that domain. For example, on the first day, disqus had 18,294 hostnames of the form subdomain.disqus.com

In the next table, we show side by side, for a single day the top 20 dynamic DNS domains in general traffic and those that had malicious hostnames. We indicate in red, those domains that are present in both top malicious domains and top popular domains in a daily DNS traffic i.e. no-ip.org, no-ip.biz, no-ip.info, hopto.org, dlinkddns.com, myftp.org, myvnc.com, myftp.biz, and us.to. What is noteworthy is that some popular dynamic DNS domains for general legitimate uses are also the top ones abused for malicious purposes. This makes blocking the entire domain a little tricky as that would deny visibility to a lot of legitimate content. Notice that the dynamic DNS provider no-ip.com is the most used one for both legitimate and malicious intent. The domains no-ip.org, no-ip.biz, no-ip.info, hopto.org, myftp.org, myvnc.com, and myftp.biz all use no-ip name servers. The right hand table for top malicious domains is illustrated at the end of this blog as a graph representation.

[top 20 domains in general traffic on the left, and top 20 malicious domains on the right]

In the next table, we show the percentage of malicious usage of hostnames under each domain. For example, 56.71% of the 3LDs under hopto.org are malicious. Clearly, some domains are heavily used for malicious purposes.

Below, we show an illustrative graph of the mapping of hostnames to domains taken from the list of detected malicious dynamic DNS domains of one day. The largest connected component on the top left corner is that of the domain hopto.org which has 245 malicious 3LDs associated with it, e.g. spilak.hopto.org, arasispodmoonf.hopto.org, 1n12.hopto.org, etc. On the right of hopto.org is the cluster of no-ip.org with 125 malicious 3LDs, then no-ip.info on the right with 103 hostnames, etc.

We further took a sample of hostnames under hopto.org, and we determined that they were used to serve urls for Fragus Exploit kit, Best Pack Exploit kit, Incognito Exploit kit, Java and PDF exploits, leading to Trojan Fake AVs downloads. They were also used as CnC for W32/Dorkbot-EK, Rogue:Win32/Winwebsec, Trojan-Ransom.Win32.Mbro.ysw, IRC botnets, and also to serve phishing urls. In another sample, we observe that malicious dynamic DNS domains are massively associated with Blackhole exploits kit, Neosploit exploits, PDF exploits, and other exploits leading to the delivery of rogue antivirus, trojans, Backdoor SDBot, etc. It is worth mentioning that it is difficult to trace back the registration information of dynamic DNS domains that are in the form of subdomain.[predefined domain].tld because the whois information only records the registration information of the domain (the 2LD).

Note: The tools and platform I used for this study are our Hadoop dev cluster, Apache Pig, Python, and Unix shell tools (sed, awk, grep, etc).

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella