[dns-operations] Fingerprinting stub resolvers

John Kristoff jtk at cymru.com
Fri Jan 4 17:05:47 UTC 2013


On Fri, 4 Jan 2013 11:05:47 -0500
Matthew Pounsett <matt at conundrum.com> wrote:

> A friend of mine at an ISP asked me recently whether I had any
> suggestions for fingerprinting stub resolvers.  They've got pcaps
> from the downstream side of their caching servers and are looking at
> trying to pull more interesting statistics than query counts out of
> them.  I didn't have any good suggestions, but it seems like an
> interesting question to ask of one's name server.   Has anyone else
> tackled this before?  Do tools exist?

I've not tried it in an automated way, but if you have pcaps of stub
resolvers, that ought to tell you a good deal.  Certain operating
systems for instance may use particular IP TTL values, have differing
IP ID field generation techniques, utilize a distinct pool of
source ports, select source ports in an observable way, issue
particular queries commonly associated to a particular operating system
or application and generate queries at deterministic intervals and in
recurring, but identifiable patterns and lastly, but probably not
exhaustively, select or utilize configured full resolvers in ways
unique to the stub resolver implementation.

John



More information about the dns-operations mailing list