Is it possible to protect against DNS cache snooping on ISC bind and PowerDNS servers? If not, is there a similar DNS server software which can't protect agains snooping?
Asked
Active
Viewed 167 times
1 Answers
1
Because cache snooping is enabled by a properly operating caching DNS server, there's no way for the DNS server to thwart it without breaking proper caching behavior. For example, you could make a DNS server hand out all responses with a synthetic TTL, but then the use case of having individual TTL for different records is being overridden.
It is possible to poison the cache as a defensive measure. For example, let's say the attacker is using the cache to identify anti-virus software in use. If the defender has a program which regularly queries the DNS records used by various anti-virus software that isn't in use, then the attacker will be get indicators for multiple anti-virus packages, with most of them being false.
I wrote a program to do this a couple years ago called dnSense.
gowenfawr
- 71,975
- 17
- 161
- 198
-
I only found this for a DNS server which is not common: https://support.simpledns.plus/kb/a125/what-is-dns-cache-snooping-and-how-do-i-prevent-it.aspx – jwalker Apr 18 '20 at 09:55
-
@jwalker ...which tells you how to turn the cache off completely. Yes, that will prevent cache snooping, at the cost of "breaking proper caching behavior." – gowenfawr Apr 18 '20 at 15:16