Towards passive DNS software fingerprinting

  • Authors:
  • Ruetee Chitpranee;Kensuke Fukuda

  • Affiliations:
  • Ensimag - INP Grenoble, France;NII, Japan

  • Venue:
  • Proceedings of the 9th Asian Internet Engineering Conference
  • Year:
  • 2013

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper presents an alternative fingerprinting technique to identify DNS software running on caching resolvers in passively collected traffic traces. With this method, it is not required to send additional queries during the measurement, unlike existing techniques that rely on probing and may not be effective due to firewall filtering or refused responses. We first carefully examine DNS query patterns upon specific emulation and extract 15 heuristic rules from the experiment to identify typical software (i.e., BIND, Unbound and Windows Server). We next demonstrate the effectiveness of the rules using real backbone traffic traces with ground truth data. The results show 99% accuracy compared to the ground truth. Furthermore, 78% of unknown hosts in the ground truth can be identified.