May 6 – 7, 2021
UTC timezone
OARC 35 Day 1 - begins 01:00 UTC Today 6 May.

Botnet Traffic Observed at Various Levels of the DNS Hierarchy

May 7, 2021, 1:00 AM
Standard Presentation Online Workshop OARC 35 Day 2


Duane Wessels (Verisign)


This presentation explores DNS traffic patterns for a garrulous botnet observed at the root, authoritative TLD name servers, and delegated name servers. We will present measurements of DNS query volume observed at each of these layers while conducting various experiments on the sinkholed domains including variations of TTL, response codes, response sizes, and more. Our results highlight some operational insights into recursive resolver behaviors and the implications of managing / addressing botnet traffic.

Primary authors

Duane Wessels (Verisign) Matthew Thomas (Verisign)

Presentation materials