Abstract In recent years, DNS hijacking represents a significant security threat to the infrastructure of the Domain Name System (DNS). A prevalent form of DNS hijacking involves exploiting open resolvers to manipulate DNS records. Such attacks undermine the availability and confidentiality of network services, posing serious risks to legitimate users. Current DNS hijacking detection methods tend to focus on specific domains, leveraging the unique characteristics of domain-specific hijacking to identify attacks. Consequently, these methods are often limited in applicability and may lack accuracy when dealing with diverse hijacking scenarios. Additionally, many existing approaches face challenges related to efficiency, making them less effective for long-term monitoring of hijacking activities. To address these challenges, this paper introduces an efficient detection method F2D tailored for general DNS hijacking. First, F2D uses an accurate and efficient filtration funnel strategy for targeted resolver hijacking detection. Second, two optimized detection algorithms are proposed for comprehensive filtration. Third, the method includes an efficient mechanism for identifying CDN domains, enabling the filtration of a large number of content replication servers and enhancing overall detection efficiency. During the validation phase, we monitor around 36k domains and around 600 resolvers over a one-month period. The effectiveness of our method is validated using manually labeled sample data. Experimental results demonstrate that our method can improve the F1 performance by 10% with the same false alert level, and time efficiency by 39% compared to the state-of-the-arts. Furthermore, we conduct an in-depth analysis of the captured hijacking incidents and deduce the motivation of the hijacking.
Dong et al. (Fri,) studied this question.