Oct 3 – 5, 2015
Fairmont Queen Elizabeth
US/Eastern timezone

dnstap-whoami: one-legged exfiltration of resolver queries

Oct 4, 2015, 5:00 PM
St-Francois (Fairmont Queen Elizabeth)


Fairmont Queen Elizabeth

900 René-Lévesque Blvd W Montreal, QC H3B 4A5 Canada
Lightning Presentations Public Workshop: Resolvers Track


Robert Edmonds (Farsight Security, Inc.)


A few existing "whoami" or "dnsecho" authoritative DNS services allow for limited extraction of information about the resolver to the original client that would normally be hidden. For example, querying an anycasted resolver like with the command "dig @ whoami.akamai.net" will return an address record revealing a unicast initiator address used by the anycast service. This is "one-legged", because the original client only has visibility into the stub/recursive "leg" of the DNS interaction. The DNS-OARC porttest tool is another example of a "one-legged" service. Similarly, many DNS research projects use special purpose zones with instrumented nameservers which capture incoming query packets for analysis. For example, scans for open recursive DNS servers typically control both the stub/recursive "leg" and the recursive/authoritative "leg" and are thus "two-legged". This requires a more heavyweight investment but results in a richer set of data. This talk will demonstrate an enhanced "whoami" authoritative DNS server that can exfiltrate more detailed information about the recursive/authoritative interaction to the original client, including the complete resolver query packet sent to the authoritative server, using the dnstap format to compactly tunnel structured information which can be decoded by the original client.

Primary author

Robert Edmonds (Farsight Security, Inc.)

Presentation materials