Detection of host search activity in PTR resource record based DNS query packet traffic

We statistically investigated the total PTR resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st to December 31st, 2009. The obtained results are: (1) We observed fourteen host search (HS) activities in which we can observe rapid decreases in the unique source IP address based entropy of the inbound PTR RR based the DNS query packet traffic and significant increases in the unique DNS query keyword based one. (2) We found the consecutive and random IP address based queries in the PTR RR based DNS query request packet traffic through the days of January 8th and 21st, 2009, respectively. Also (3), we calculated Euclidean distances between the observed IP address and the last observed IP address as the DNS query keywords and we detected two kinds of HS activities by employing both threshold ranges of 1.0-2.0 and 150.2-210.4, respectively. Therefore, these results show that we can detect the HS activity by calculating the Euclidean distances between the currently- and the last-observed IP addresses in the inbound PTR RR based DNS query request packet traffic.