[dns-operations] Fingerprinting stub resolvers

Matthew Pounsett matt at conundrum.com
Fri Jan 4 16:53:29 UTC 2013

On 2013/01/04, at 11:48, Rubens Kuhl wrote:

> Em 04/01/2013, às 14:05:000, Matthew Pounsett escreveu:
>> A friend of mine at an ISP asked me recently whether I had any suggestions for fingerprinting stub resolvers.  They've got pcaps from the downstream side of their caching servers and are looking at trying to pull more interesting statistics than query counts out of them.  I didn't have any good suggestions, but it seems like an interesting question to ask of one's name server.   Has anyone else tackled this before?  Do tools exist?
> One could try looking for queries similar to the ones fpdns does:
> https://github.com/kirei/fpdns
> fpdns uses very unusual, borderline queries, to try to identify the servers, so it might not find much samples in the usual traffic. 

fpdns is designed for authoritative servers.  I gather people have had some success running it against caching servers, but neither of those apply here.  One can't assume that the stub resolver is even reachable to bounce queries off of it.. any stub resolver fingerprinting is going to have to be passive.

More information about the dns-operations mailing list