Research Article
Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists
@INPROCEEDINGS{10.1007/978-3-030-90019-9_24, author={Martin Fejrskov and Jens Myrup Pedersen and Emmanouil Vasilomanolakis}, title={Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists}, proceedings={Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6--9, 2021, Proceedings, Part I}, proceedings_a={SECURECOMM}, year={2021}, month={11}, keywords={Blacklist DNS Netflow Ipfix ISP RBL Threat intelligence}, doi={10.1007/978-3-030-90019-9_24} }- Martin Fejrskov
Jens Myrup Pedersen
Emmanouil Vasilomanolakis
Year: 2021
Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists
SECURECOMM
Springer
DOI: 10.1007/978-3-030-90019-9_24
Abstract
To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38–40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.