The ability to identify network users based on their network behavior has both positive and negative implications. If users are tracked on the Internet without their knowledge or permission, this could be interpreted as a serious violation of their privacy. If used, however, as part of an organization's network security measures, the ability to identify and verify users might assist in determining whether one user is masquerading as a different user, or whether some user is exhibiting abnormal behavior that might precede malicious insider activity. As a step toward enhancing network security, we investigate the use of DNS hostnames and destination IPs for user identification, based on models of user behavior. Our results indicate that using DNS host names is a superior method of modeling user behavior. Additionally, when filtering the data for regular accesses, the accuracies improve for both DNS host names and destination IPs.