{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T22:44:51Z","timestamp":1771022691819,"version":"3.50.1"},"reference-count":46,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2017,9,25]],"date-time":"2017-09-25T00:00:00Z","timestamp":1506297600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>With the help of botnets, intruders can implement a remote control on infected machines and perform various malicious actions. Domain Name System (DNS) is very famous for botnets to locate command and control (C and C) servers, which enormously strengthens a botnet\u2019s survivability to evade detection. This paper focuses on evasion and detection techniques of DNS-based botnets and gives a review of this field for a general summary of all these contributions. Some important topics, including technological background, evasion and detection, and alleviation of botnets, are discussed. We also point out the future research direction of detecting and mitigating DNS-based botnets. To the best of our knowledge, this topic gives a specialized and systematic study of the DNS-based botnet evading and detecting techniques in a new era and is useful for researchers in related fields.<\/jats:p>","DOI":"10.3390\/fi9040055","type":"journal-article","created":{"date-parts":[[2017,9,26]],"date-time":"2017-09-26T04:28:01Z","timestamp":1506400081000},"page":"55","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":27,"title":["Botnet Detection Technology Based on DNS"],"prefix":"10.3390","volume":"9","author":[{"given":"Xingguo","family":"Li","sequence":"first","affiliation":[{"name":"National Key Laboratory of Fundamental Science on Synthetic Vision, Sichuan University, Chengdu 610065, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Junfeng","family":"Wang","sequence":"additional","affiliation":[{"name":"College of Computer Science, Sichuan University, Chengdu 610065, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiaosong","family":"Zhang","sequence":"additional","affiliation":[{"name":"Center for Cyber Security, University of Electronic Science and Technology of China, Chengdu 611731, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2017,9,25]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Alieyan, K., Kadhum, M.M., Anbar, M., Rehman, S.U., and Alajmi, N.K.A. (2016, January 19\u201321). An overview of DDoS attacks based on DNS. Proceedings of the International Conference on Information and Communication Technology Convergence (ICTC), Jeju Island, Korea.","DOI":"10.1109\/ICTC.2016.7763485"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1016\/S1353-4858(16)30027-7","article-title":"Detecting and destroying botnets","volume":"2016","author":"Gross","year":"2016","journal-title":"Netw. Secur."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"475","DOI":"10.1016\/j.cose.2013.10.001","article-title":"DNS amplification attack revisited","volume":"39","author":"Anagnostopoulos","year":"2013","journal-title":"Comput. Secur."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT: Mirai and Other Botnets","volume":"50","author":"Kolias","year":"2017","journal-title":"Computer"},{"key":"ref_5","unstructured":"Gardner, M.T., Beard, C., and Medhi, D. (2017, January 8\u201310). Using SEIRS Epidemic Models for IoT Botnets Attacks. Proceedings of the 13th International Conference on Design of Reliable Communication Networks (DRCN 2017), Munich, Germany."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Jerkins, J.A. (2017, January 9\u201311). Motivating a market or regulatory solution to IoT insecurity with the Mirai botnet code. Proceedings of the 2017 IEEE 7th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA.","DOI":"10.1109\/CCWC.2017.7868464"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"455","DOI":"10.1007\/s10207-015-0310-0","article-title":"New facets of mobile botnet: Architecture and evaluation","volume":"15","author":"Anagnostopoulos","year":"2016","journal-title":"Int. J. Inf. Secur."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"1132","DOI":"10.1109\/ACCESS.2015.2458581","article-title":"Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis","volume":"3","author":"Zhao","year":"2015","journal-title":"IEEE Access"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., and Bos, H. (2013, January 19\u201322). SoK: P2PWNED\u2014Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP.2013.17"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Yadav, S., Reddy, A., and Reddy, A.L. (2010, January 1\u20133). Detecting algorithmically generated malicious domain names. Proceedings of the 2010 ACM SIGCOMM Conference on Internet Measurement, Melbourne, Australia.","DOI":"10.1145\/1879141.1879148"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"230","DOI":"10.1016\/j.cose.2016.01.007","article-title":"Combating the evasion mechanisms of social bots","volume":"58","author":"Ji","year":"2016","journal-title":"Comput. Secur."},{"key":"ref_12","unstructured":"Porras, P., Saidi, H., and Yegneswaran, V. (2009, January 22\u201324). A foray into Conficker\u2019s logic and ren-dezvous points. Proceedings of the 2nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, Boston, MA, USA."},{"key":"ref_13","unstructured":"(2016, December 26). FBI Cracks $100m Financial-Crime Botnet. Available online: http:\/\/itp.net\/mobile\/598440-fbi-cracks-100m-financial-crime-botnet."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Sakib, M.N., and Huang, C. (2016, January 23\u201327). Using anomaly detection based techniques to detect HTTP-based botnet C&C traffic. Proceedings of the IEEE International Conference on Communications (ICC), Kuala Lumpur, Malaysia.","DOI":"10.1109\/ICC.2016.7510883"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.jnca.2016.10.007","article-title":"Survey of approaches and features for the identification of HTTP-based botnet traffic","volume":"76","author":"Acarali","year":"2016","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Asha, S., Harsha, T., and Soniya, B. (2016, January 6\u20137). Analysis on botnet detection techniques. Proceedings of the International Conference on Research Advances in Integrated Navigation Systems (RAINS), Karnataka, India.","DOI":"10.1109\/RAINS.2016.7764411"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MSP.2010.144","article-title":"Analysis of a botnet takeover","volume":"9","author":"Cova","year":"2011","journal-title":"IEEE Secur. Priv."},{"key":"ref_18","unstructured":"(2016, May 19). The Honeynet Project. \u201cKnow Your Enemy: Fast-Flux Service Networks\u201d. Available online: http:\/\/www.honeynet.org\/papers\/ff\/."},{"key":"ref_19","unstructured":"Passerini, E., Paleari, R., Martignoni, L., and Bruschi, D. (2008, January 10\u201311). FluXOR: Detecting and monitoring fast flux service networks. Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA \u201908), Paris, France."},{"key":"ref_20","unstructured":"Holz, T., Gorecki, C., Freiling, F., and Rieck, K. (2008, January 8\u201311). Measuring and detecting fast-flux service networks. Proceedings of the 15th Network and Distributed System Security Conference (NDSS\u201908), San Diego, CA, USA."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Nazario, J., and Holz, T. (2008, January 7\u20138). As the net churns: Fast-flux botnet observations. Proceedings of the 3rd International Conference on Malicious and Unwanted Software (MALWARE\u201908), Alexandria, VA, USA.","DOI":"10.1109\/MALWARE.2008.4690854"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Caglayan, A., Toothaker, M., Drapaeau, D., Burke, D., and Eaton, G. (2009, January 13\u201315). Behavioral analysis of fast flux service networks. Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW\u201909), Knoxville, TN, USA.","DOI":"10.1145\/1558607.1558662"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., and Eaton, G. (2009, January 3\u20134). Real-time detection of fast flux service networks. Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH\u201909), Washington, DC, USA.","DOI":"10.1109\/CATCH.2009.44"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Perdisci, R., Corona, I., Dagon, D., and Lee, W. (2009, January 7\u201311). Detecting malicious flux service networks through passive analysis of recursive DNS traces. Proceedings of the Annual Computer Security Applications Conference (ACSAC\u201909), Honolulu, HI, USA.","DOI":"10.1109\/ACSAC.2009.36"},{"key":"ref_25","unstructured":"Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. (2011, January 6\u20139). EXPOSURE: Finding malicious domains using passive DNS analysis. Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA."},{"key":"ref_26","unstructured":"Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., and Dagon, D. (2011, January 8\u201312). Detecting malware domains at the upper DNS hierarchy. Proceedings of the USENIX Security Symposium, San Francisco, CA, USA."},{"key":"ref_27","unstructured":"Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N. (2010, January 11\u201313). Building a Dynamic Reputation System for DNS. Proceedings of the USENIX Security Symposium, Washington, DC, USA."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Hu, X., Knysz, A., and Shin, K.G. (2011, January 10\u201315). Measurement and Analysis of Global IP-Usage Patterns of Fast-Flux Botnets. Proceedings of the IEEE INFOCOM, Shanghai, China.","DOI":"10.1109\/INFCOM.2011.5935091"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Gr\u017eini\u0107, T., Perho\u010d, D., Mari\u0107, M., Vla\u0161i\u0107, F., and Kulcsar, T. (2014, January 26\u201330). CROFlux\u2013Passive DNS Method for Detecting Fast-Flux Domains. Proceedings of the 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia.","DOI":"10.1109\/MIPRO.2014.6859782"},{"key":"ref_30","unstructured":"Barabosch, T., Wichmann, A., Leder, F., and Gerhards-Padilla, E. (2016, May 19). Automatic Extraction of Domain Name Generation Algorithms from Current Malware. NIAS, 2012. Available online: http:\/\/four.cs.uni-bonn.de\/fileadmin\/user_upload\/wichmann\/Extraction_DNGA_Malware.pdf."},{"key":"ref_31","unstructured":"(2016, October 29). Domain Name Generator for Murofet. Available online: http:\/\/blog.threatexpert.com\/."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Thomas, M., and Mohaisen, A. (2014, January 7\u201311). Kindred domains: Detecting and clustering botnet domains using DNS traffic. Proceedings of the International Conference on World Wide Web Companion, Seoul, Korea.","DOI":"10.1145\/2567948.2579359"},{"key":"ref_33","unstructured":"Heuer, T., Schiering, I., Klawnn, F., Gabel, A., and Seeger, M. (September, January 31). Recognizing Time-Efficiently Local Botnet Infections\u2014A Case Study. Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES), Salzburg, Austria."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Erquiaga, M.J., Catania, C., and Garc\u00eda, S. (2016, January 15\u201317). Detecting DGA malware traffic through behavioral models. Proceedings of the 2016 IEEE Biennial Congress of Argentina (ARGENCON), Buenos Aires, Argentina.","DOI":"10.1109\/ARGENCON.2016.7585238"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2016.10.001","article-title":"DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis","volume":"64","author":"Wang","year":"2017","journal-title":"Comput. Secur."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Wang, T., Lin, C., and Lin, H. (2016, January 4\u20136). DGA Botnet Detection Utilizing Social Network Analysis. Proceedings of the 2016 International Symposium on Computer, Consumer and Control (IS3C), Xi\u2019an, China.","DOI":"10.1109\/IS3C.2016.93"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"48","DOI":"10.1016\/j.comnet.2015.12.008","article-title":"PsyBoG: A scalable botnet detection method for large-scale DNS traffic","volume":"97","author":"Kwon","year":"2016","journal-title":"Comput. Netw."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Nadji, Y., Antonakakis, M., Perdisci, R., Dagon, D., and Lee, W. (2013, January 4\u20138). Beheading Hydras: Performing Effective Botnet Takedowns. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS), Berlin, Germany.","DOI":"10.1145\/2508859.2516749"},{"key":"ref_39","unstructured":"Nelms, T., Perdisci, R., and Ahamad, M. (2013, January 14\u201316). Execscent: Mining for new C&C domains in live networks with adaptive control protocol templates. Proceedings of the USENIX Security Symposium, Washington, DC, USA."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Schiavoni, S., Maggi, F., Cavallaro, L., and Zanero, S. (2014). Phoenix: DGA-based botnet tracking and intelligence. Detection of Intrusions and Malware, and Vulnerability Assessment, 2014, Springer.","DOI":"10.1007\/978-3-319-08509-8_11"},{"key":"ref_41","unstructured":"Sharifnya, R., and Abadi, M. (November, January 31). A Novel Reputation System to Detect DGA-Based Botnets. Proceedings of the International Conference on Computer and Knowledge Engineering (ICCKE), Mashhad, Iran."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Grill, M., Nikolaev, I., Valeros, V., and Rehak, M. (2015, January 11\u201315). Detecting DGA malware using NetFlow. Proceedings of the IFIP\/IEEE International Symposium on Integrated Network Management (IM), Ottawa, ON, Canada.","DOI":"10.1109\/INM.2015.7140486"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Bottazzi, G., and Italiano, G.F. (2015, January 26\u201328). Fast Mining of Large-Scale Logs for Botnet Detection: A Field Study. Proceedings of the IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, Liverpool, UK.","DOI":"10.1109\/CIT\/IUCC\/DASC\/PICOM.2015.295"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Mowbray, M., and Hagen, J. (2014, January 3\u20136). Finding Domain-Generation Algorithms by Looking at Length Distributions. Proceedings of the IEEE International Symposium on Software Reliability Engineering Workshops, Naples, Italy.","DOI":"10.1109\/ISSREW.2014.20"},{"key":"ref_45","unstructured":"Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D. (2012, January 8\u201310). From throw-away traffic to bots: Detecting the rise of DGA-based malware. Proceedings of the USENIX Conference on Security Symposium, Bellevue, WA, USA."},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Wang, T., Hu, X., Jang, J., Ji, S., Stoecklin, M., and Taylor, T. (2016, January 27\u201330). BotMeter: Charting DGA-Botnet Landscapes in Large Networks. Proceedings of the IEEE 36th International Conference on Distributed Computing Systems (ICDCS), Nara, Japan.","DOI":"10.1109\/ICDCS.2016.77"}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/9\/4\/55\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T18:45:50Z","timestamp":1760208350000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/9\/4\/55"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,9,25]]},"references-count":46,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2017,12]]}},"alternative-id":["fi9040055"],"URL":"https:\/\/doi.org\/10.3390\/fi9040055","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,9,25]]}}}