Finding disposable domain names: A linguistics-based stacking approach

An increasing number of Internet services tend to collect one-time information from clients via DNS queries. Notably, the uncertainty of such transient information makes these domain names be queried only once in their lifetime. This type of domain is called disposable domain. Although they do not involve any malicious activities, the efficiency of DNS infrastructures is still affected by their ever-increasing number. Existing approaches for detecting disposable domains have serious disadvantages, such as poor timeliness and high false positive rate. In this paper, we conduct an extensive measurement study of the ISP-level DNS traffic and find that the readability of domain name is suitable for identifying disposable domains. Therefore, we propose Vogers, a linguistics-based stacking model, to detect disposable domains from raw DNS traffic. Compared with the prior arts, Vogers decreases the false positive rate by more than 17%, while maintaining the true positive rate above 98.9%. In addition, Vogers generalizes quite well to unknown environments, whereby we are able to report new disposable domains. Our further application of Vogers in the real-world DNS traffic shows that filtering disposable domains can improve the efficiency of DNS infrastructures.