Ticket #769 (new Feature Request)

Opened 3 months ago

Last modified 3 months ago

Detect non-caching recursive resolvers

Reported by: seth Owned by: seth
Priority: Normal Milestone:
Component: Bro Version: git/master
Keywords: Cc:

Description

Two steps to this...

  • Detect recursive resolvers. This should probably be added to the intelligence framework so that it could be autodetected and people could add their own locally known information to it. We should be able to detect them by watching for lots of authoritative requests but there are probably other indicators we could use as well.
  • Occasionally grab or define certain host names with reasonably long TTLs (a day?) and watch for the same recursive resolver to make a request for that same hostname within the TTL. This should identify if resolvers aren't caching results which is frequently an interesting data point or at least something to go and fix.

Change History

comment:0 Changed 3 months ago by gregor

  • Detect recursive resolvers. This should probably be added to the intelligence framework so that it could be autodetected and people could add their own locally known information to it. We should be able to detect them by watching for lots of authoritative requests but there are probably other indicators we could use as well.

The RD (recursion desired) flag is another indicator. It should be off for recursive resolvers.

cu
Gregor

Note: See TracTickets for help on using tickets.