1 / 13

Fingerprinting DNS Implementations

Fingerprinting DNS Implementations. Roy Arends Jakob Schlyter IETF-60 august 5 2004. WHY. Troubleshooting DNS problems Surveys: distribution of implementations Surveys: protocol compliance. HOW: assumptions. Protocol non-compliance is hardly specified

danika
Download Presentation

Fingerprinting DNS Implementations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fingerprinting DNS Implementations Roy Arends Jakob Schlyter IETF-60 august 5 2004

  2. WHY • Troubleshooting DNS problems • Surveys: distribution of implementations • Surveys: protocol compliance

  3. HOW: assumptions • Protocol non-compliance is hardly specified • implementations are not required to implement the entire dns-rfc-scape • specifications are not always implemented appropriately • Implementations have bugs • Implementations fixed bugs • Implementations have features • Implementations stopped having features

  4. HOW: requirements • REQUIREMENTS • Nothing breaks ! • Independent of data served • Independent of configuration • In at least possible queries • With at least possible log-entries

  5. HOW: assessment • 16 bit header, we used 14 for classification • QR and Z bit not used (later more on QR). • Just header, question section: “.” A IN • That’s 16K possible headers (14 bit) • Responses tied to queries, tied to IP • Set of equal {Q =>R} strains likely the same implementation…. • What followed was simple datamining and some reconnaissance. • 40 million Elvis fans can’t be wrong.

  6. HOW: reconnaisance • Finding implementations that matched our strains. • Version.bind / version.server / etc / etc • Set up local installation. Works well with opensource • Asking operators at sites. • LOTS of help. Thanks Peter, Bill, Brad, Mark, Mans, Miek and Jaap

  7. WHAT:different implementations BIND 4/8/9; NSD; MS NT/2K/2K3; MaraDNS; PowerDNS; MyDNS; Nominum ANS/CNS; NonSequitur DNS; OakDNS; UltraDNS; Simple DNS plus; Net::DNS::Nameserver; VGRS ATLAS; TinyDNS; QuickDNS; eNom DNS; Incognito DNS commander; Pliant DNS server; Posadis; Rbldnsd; TotD; pdnsd ; Yaku-NS; DeleGate DNS proxy; sheerdns; dproxy; dnrd; JDNSS; javadns jnamed; Nomde DNS tunnel; Viking DNS server; small HTTP server.

  8. WHAT: still looking • We have the original JEEVES sources.(thanks Rob) • Still busy with emulating PDP-10/tops-20 • (running) PRE BSD-4.3-tahoe/4.4-reno BIND versions. • dents; cisco cnr • New and Old breeds !! • Contact us if you know of one that is not listed • Contact us if you (are able to) run one of the above

  9. WHAT not • What does not help fingerprinting: • Active Load Balancing • Firewalls checking queries (checkpoint FW1-NGw/AI) • Forwarders • DoS blocks

  10. Where:tool • The fpdns tool (version 0.9.0) is released. • Version 0.9.1 will be made available some time next week at www.rfc.se/fpdns

  11. Extra’s • Remember the QR bit we didn’t use ? • QR bit (indicating query or response) • Setting the QR bit in a Query (i.e. sending a response) makes some implementations respond anyway • The latter can causes query storms between implementations. • Some implementations have been fixed, check for the latest releases of your software.

  12. SURVEYS • Bill Manning did a survey on .com • Mark Lottor did a survey on .in-addr.arpa • Peter Koch did a survey on .de • I’ll ask them to put their results online (or post them to a list) • Interop reports are using fpdns to test for protocol compliance. • Google for them.

  13. thanks • Thanks for listening • Reach us at roy@dnss.ec or jakob@rfc.se

More Related