[dns-operations] Fingerprinting stub resolvers

Liu Mingxing lmxhappy at gmail.com
Sun Jan 6 00:51:06 UTC 2013


seemly you have something perfect to share. Would you like to share your achievement?




Liu Mingxing

From: John Kristoff
Date: 2013-01-05 01:05
To: Matthew Pounsett
CC: dns-operations
Subject: Re: [dns-operations] Fingerprinting stub resolvers
On Fri, 4 Jan 2013 11:05:47 -0500
Matthew Pounsett <matt at conundrum.com> wrote:

> A friend of mine at an ISP asked me recently whether I had any
> suggestions for fingerprinting stub resolvers.  They've got pcaps
> from the downstream side of their caching servers and are looking at
> trying to pull more interesting statistics than query counts out of
> them.  I didn't have any good suggestions, but it seems like an
> interesting question to ask of one's name server.   Has anyone else
> tackled this before?  Do tools exist?

I've not tried it in an automated way, but if you have pcaps of stub
resolvers, that ought to tell you a good deal.  Certain operating
systems for instance may use particular IP TTL values, have differing
IP ID field generation techniques, utilize a distinct pool of
source ports, select source ports in an observable way, issue
particular queries commonly associated to a particular operating system
or application and generate queries at deterministic intervals and in
recurring, but identifiable patterns and lastly, but probably not
exhaustively, select or utilize configured full resolvers in ways
unique to the stub resolver implementation.

John
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130106/65d45ca8/attachment.html>


More information about the dns-operations mailing list