Knowledge Base ISC Main Website Ask a Question/Contact ISC
What is DNS Cache snooping?
Author: ISC Support Reference Number: AA-00509 Views: 13797 Created: 2011-10-26 09:22 Last Updated: 2017-06-07 16:07 0 Rating/ Voters

DNS cache snooping is a technique that can be employed for different purposes by those seeking to benefit from knowledge of what queries have been made of a recursive DNS server by its clients.

Uses of this information vary, ranging from planning which mis-typed domains are worth registering (for marketing and other purposes) through to determining which domains might be easiest to target for a cache poisoning attack.

How can it be done?

  1. Using non-recursive queries
    This is the simplest option.  From a client that the recursive server will respond to, a snooper needs to send a non-recursive query (that is, one with the recursion desired bit in the query header set to zero) for the name that the snooper is interested in.   If the answers are in cache, then the server will provide them.

  2. Using recursive queries
    This is very similar to the above - except that the snooper has to deduce that the recursive server responded from cache by looking at both the time it took for the server to respond to (although, depending on the server load, this may not be signficant) and at the TTL of the answers given.

It is sometimes recommended that you should limit non-recursive access to your recursive servers to prevent the possibility of cache snooping attempts using the first technique documented in the section above.  BIND does not have a configuration option that provides this level of control as we do not believe that it is effective.

For more detail on DNS cache snooping including examples as well as suggestions on risk mitigation, we have a longer article available (register to view) : DNS Cache snooping - should I be concerned?

For more background information, please see:  http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Some security tools may report that a server is vulnerable to snooping attacks

Some security analysis tools may report that a server is responding to non-recursive queries for 3rd party domains.  If the analysis tools is being run from within your network where your trusted clients reside, then the warning is a false-positive, providing that you:
a)  trust your clients
b)  do not allow recursive queries from outside your trusted client network



© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Quick Jump Menu