On Fri, 4 Jan 2013 11:05:47 -0500 Matthew Pounsett <[email protected]> wrote:
> A friend of mine at an ISP asked me recently whether I had any > suggestions for fingerprinting stub resolvers. They've got pcaps > from the downstream side of their caching servers and are looking at > trying to pull more interesting statistics than query counts out of > them. I didn't have any good suggestions, but it seems like an > interesting question to ask of one's name server. Has anyone else > tackled this before? Do tools exist? I've not tried it in an automated way, but if you have pcaps of stub resolvers, that ought to tell you a good deal. Certain operating systems for instance may use particular IP TTL values, have differing IP ID field generation techniques, utilize a distinct pool of source ports, select source ports in an observable way, issue particular queries commonly associated to a particular operating system or application and generate queries at deterministic intervals and in recurring, but identifiable patterns and lastly, but probably not exhaustively, select or utilize configured full resolvers in ways unique to the stub resolver implementation. John _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
