Focusing on ISP backbone, this paper presents a method to detect malicious activities such as botnets, phishing and spam that threaten user security in the domain by monitoring DNS interaction messages through the network boundary in real time. The method depicts DNS behavior patterns based on dependency and position attribute. Then, the paper proposes a supervised classifier based DNS activity detecting algorithm DAOS (binary classifier for DNS activity observation system). Dependency attribute is used to describe external usage of the domain name from perspective of DNS customer, while position attribute is used to describe resource allocation of records in the zone file. Experimental results show that the algorithm, with a DNS data source in 2 hours, can achieve 90.5% of accuracy, 2.9% of false positive, and 6.6% of false negative without prior knowledge. If the observation is kept for a week, accuracy rises up to 93.9%, false positive and false negative can descend to 1.3% and 4.8%.