[dns-operations] Fingerprinting stub resolvers

Matthew Pounsett matt at conundrum.com
Fri Jan 4 19:22:23 UTC 2013

On 2013/01/04, at 12:05, John Kristoff wrote:

> On Fri, 4 Jan 2013 11:05:47 -0500
> Matthew Pounsett <matt at conundrum.com> wrote:
>> A friend of mine at an ISP asked me recently whether I had any
>> suggestions for fingerprinting stub resolvers.  They've got pcaps
>> from the downstream side of their caching servers and are looking at
>> trying to pull more interesting statistics than query counts out of
>> them.  I didn't have any good suggestions, but it seems like an
>> interesting question to ask of one's name server.   Has anyone else
>> tackled this before?  Do tools exist?
> I've not tried it in an automated way, but if you have pcaps of stub
> resolvers, that ought to tell you a good deal. 

Yeah.  I imagine he's got a fair bit of data there that could be sifted through given the time.  But, I think that coming up with reasonable fingerprints would require a lot of testing where the tester controls both sides of the connection.  It's one thing to try to categorize stubs from just their activity, but name them you'd have to know for certain what's on the other end. 

My impression is that he's hoping someone else has done this before and that there's a wheel out there already invented.  It sounds like that probably hasn't happened, though.

More information about the dns-operations mailing list