DNS Cache Snooping

If you do sysadmin tasks for a group of people one of the challenges of the job is that your log files are full of bits of info that should be kept private. Here’s an example I’d not thought through sufficently: the DNS (Domain Name Server), actually the DNS cache. When one of your users visits a site (for example the url: http://cult-of-the-vile-snail.com/) the DNS server helps them.

Most DNS servers keeps a cache of the names looked up. That makes later attempt to lookup the cult-of-the-vile-snail faster and reduces upstream load. Here’s a curiosity. The protocol for talking to the DNS server has ways that allow you to ask just for immediately availably entries; and not look further upstream.

Thinking about starting an inquisition? Worried about your colleagues falling for the snail cult? Ask the DNS server. In some scenarios the DNS server can leak information about what the other users at your site are doing. By asking the DNS server if it has cult-of-the-vile-snail in it’s cache you can discover if anybody local has visited that site.

I had known for a long time about this privacy leak around local DNS caches.

I hadn’t realized what this paper points out. You can use these tricks on DNS servers out in the wild. For example say you wanted to squat on some domain names and you wish to know which misspelt domain names would be good choices. By poking a few thousand public DNS servers you can get a good estimate of which misspellings are common. Or say you wanted to do market research on how popular a competitor’s domain name is; same trick.

Here is a guy using this trick to get a picture, and amazing pictures they are too, of how wide spread the Sony rootkit is.

I certainly hadn’t realized how subtle the privacy implications of getting a good configuration for your DNS server is.

2 thoughts on “DNS Cache Snooping

  1. Ask Bjørn Hansen

    Just pick the appropriate dns cache software!

    dnscache (from the djbdns package) is by default configured to only respond to requests from specificially allowed networks and it doesn’t respond to a “no recursive” request.

    (You can still see what names have been looked at recently by looking at the remaining TTL, but it gets a little harder).

    – ask

  2. nice

    [QUESTION] External Hacking aside, you will have breaches by sysadmin (authorized or otherwise). Is it possible to prevent packet ‘hijacking’ by the DNS (‘friendly ones’ if there are anymore) or encrypting your packets for that matter so that nobody can hack it easily? You know, accessing your bank from home or work is not safe anymore.

    I’m aware that this could make surfing a pain but better slow connection than an empty bank account.

    What are your thoughts, ideas?

    Nicer than Nice

Leave a Reply

Your email address will not be published. Required fields are marked *