If you do sysadmin tasks for a group of people one of the challenges of the job is that your log files are full of bits of info that should be kept private. Here’s an example I’d not thought through sufficently: the DNS (Domain Name Server), actually the DNS cache. When one of your users visits a site (for example the url: http://cult-of-the-vile-snail.com/) the DNS server helps them.

Most DNS servers keeps a cache of the names looked up. That makes later attempt to lookup the cult-of-the-vile-snail faster and reduces upstream load. Here’s a curiosity. The protocol for talking to the DNS server has ways that allow you to ask just for immediately availably entries; and not look further upstream.

Thinking about starting an inquisition? Worried about your colleagues falling for the snail cult? Ask the DNS server. In some scenarios the DNS server can leak information about what the other users at your site are doing. By asking the DNS server if it has cult-of-the-vile-snail in it’s cache you can discover if anybody local has visited that site.

I had known for a long time about this privacy leak around local DNS caches.

I hadn’t realized what this paper points out. You can use these tricks on DNS servers out in the wild. For example say you wanted to squat on some domain names and you wish to know which misspelt domain names would be good choices. By poking a few thousand public DNS servers you can get a good estimate of which misspellings are common. Or say you wanted to do market research on how popular a competitor’s domain name is; same trick.

Here is a guy using this trick to get a picture, and amazing pictures they are too, of how wide spread the Sony rootkit is.

I certainly hadn’t realized how subtle the privacy implications of getting a good configuration for your DNS server is.