The invention belongs to the field of power system computers. The method is a malicious domain name infected host tracing method. The method comprises: establishing a database on a platform, collecting DNS server logs, anti-virus searching and killing logs, virus access URL feature information, a disposal knowledge base and IP address division information of all associated hosts in a power grid system on a platform; establishing a virus feature table according to the collected virus access URL feature information, establishing a processing suggestion table according to a processing knowledge base, and storing IP address division information; and obtaining a DNS server log from a host, analyzing and normalizing the DNS server log through comparative analysis, then performing feature comparison with the virus feature table, generating an alarm according to suggestions corresponding to virus features compared in the virus feature table in the processing suggestion table, and then enteringa processing flow. According to the invention, the attacked host is disposed in time according to the disposal suggestions, thereby achieving the purposes of ensuring the security of the informationintranet and reducing the security threat.