1

Given a network trace that includes DNS request packets, is it possible to infer or guess which DNS client send those requests?

In other words, consider a network monitoring box that can see all the DNS packets sent from/to a particular host. Can make a reasonable guess at the DNS client that's being used, based only on what is visible in the network trace?

I know there are methods for passively fingerprinting the client OS; here I'm wondering whether there is something analogous for DNS.

D.W.
  • 98,420
  • 30
  • 267
  • 572

1 Answers1

1

Most applications that issue DNS queries do so through common OS-specific libraries. There was a recent vulnerability that impacted multiple linux distributions:

https://access.redhat.com/articles/2161461

There is a body of work on fingerprinting OSes by the DNS traffic they initiate, e.g.

http://intrusion-detection.org/papers/Matsunaka13DNSFingerprint.pdf

Jonah Benton
  • 3,359
  • 12
  • 20