-2

My university department has a local DNS server that serves all of the computers in the department. I am concerned about the privacy and security implications of this. Posit that I am merely one of the users on a workstation, with no privileged access to the DNS server, or any HTTP proxy.

  • Can I make use of the DNS server to determine whether someone else in the department has accessed a page on some arbitrary external WWW site? Can I do so for accesses within the last few seconds?
  • If the answer to the preceding question is "Yes." what tradeoffs do I have to make in order to close this leak? If adjustments need to be made to the DNS server, what form would they take? Could I address this purely from the individual workstation end, without touching the server?
  • Would installing more than one DNS server affect this? If so, how? How about running DNS servers on the workstations?
  • Is this actually a leak? Would I be able to determine the same information without using the DNS server? Would I be able to determine better information, indeed?
JdeBP
  • 3,970
  • 17
  • 17
kuchiku
  • 3
  • 1
  • Do you control the DNS server (or, alternatively, other aspects of the network)? – Shane Madden Jan 25 '12 at 21:30
  • no i am just a regular user and not a system admin – kuchiku Jan 25 '12 at 21:35
  • 4
    Please read the FAQ before posting questions, "Server Fault is for system administrators and desktop support **professionals**". We're not here to help you get around things people like us have put in place to protect you. – Smudge Jan 25 '12 at 21:44
  • FYI, for you professionals here, it's worth knowing that a conformant recursive server when asked a question with the `RD` bit clear should only answer _from cache_ and not go look up the domain again. This does allow untrusted users to _interrogate_ the cache without (in theory) _altering_ the contents of that cache. – Alnitak Jan 26 '12 at 00:02

2 Answers2

0

Run nslookup example.com (where example.com is the domain name). If it comes back saying "non-authoritative" then the entry was cached; if not then it must have contacted an authoritative server.

This isn't a surefire way of knowing, since the server might be set to never cache. You'd have to look at the logs on the server to know with any degree of certainty (assuming logs exist).

Chris S
  • 77,337
  • 11
  • 120
  • 212
0

You can't be 100% sure. Whilst unlikely, it's quite possible that somebody accessed that web site without touching your DNS servers. They might have used public DNS servers, or possibly accessed the site via it's IP address.

If all your HTTP(S) traffic is routed via a proxy server, you best bet might be to access the logs of the proxy server.

Edit: Just spotted your comment, in which case, the correct answer is to speak to your systems administrator, but he should deny your request for this information if he's doing his job properly.

Bryan
  • 7,538
  • 15
  • 68
  • 92