Point　at　the　anomaly　queries　existing　in　domain　name　system　(DNS),　an　anomaly　detection　algorithm　based　on　DNS　query　logs　is　proposed　to　detect　suspicious　and　abnormal　internet　protocol　addresses　(IP).　First,　multiple　dimensions　of　information　in　the　DNS　logs　are　extracted　to　characterize　the　source　IPs　after　analyzing　the　difference　between　normal　DNS　query　behaviors　and　the　abnormal　ones.　Secondly,　the　datasets　are　mapped　to　a　three-dimensional　space　through　dimensionality　reduction,　which　is　beneficial　for　intuitive　visualization　and　rapid　data　analysis.　Finally,　clustering　the　source　IPs　and　calculating　the　credibility　of　them　to　identify　the　abnormal　ones.　The　experiment　results　show　that　this　algorithm　can　not　only　observe　the　correlation　characteristics　of　multi-dimensional　datasets　directly,　but　also　identify　the　abnormal　source　IPs　in　the　global　and　local　aspects.　©　2018,　Editorial　Department　of　Journal　of　Beijing　University　of　Posts　and　Telecommunications.　All　right　reserved.