What is DNS Cache snooping?
  • 25 May 2021
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

What is DNS Cache snooping?

  • Dark
    Light
  • PDF

DNS cache snooping is a technique that can be employed for different purposes by those seeking to benefit from knowledge of what queries have been made of a recursive DNS server by its clients.

Uses of this information vary, ranging from planning which mis-typed domains are worth registering (for marketing and other purposes) through to determining which domains might be easiest to target for a cache poisoning attack.

How can it be done?

  1. Using non-recursive queries: This is the simplest option. From a client that the recursive server will respond to, a snooper needs to send a non-recursive query (that is, one with the recursion desired bit in the query header set to zero) for the name that the snooper is interested in. If the answers are in cache, then the server will provide them.

  2. Using recursive queries: This is very similar to the above, except that the snooper has to deduce that the recursive server responded from cache by looking at both the time it took for the server to respond (although, depending on the server load, this may not be signficant) and the TTL of the answers given.

It is sometimes recommended that you should limit non-recursive access to your recursive servers to prevent the possibility of cache snooping attempts using the first technique documented in the section above. BIND does not have a configuration option that provides this level of control as we do not believe that it is effective.

For more detail on DNS cache snooping including examples as well as suggestions on risk mitigation, we have a longer article available: DNS Cache snooping - should I be concerned?.

Some security tools may report that a server is vulnerable to snooping attacks

Some security analysis tools may report that a server is responding to non-recursive queries for 3rd-party domains. If the analysis tools are being run from within your network where your trusted clients reside, then the warning is a false-positive, providing that you:

a) trust your clients; and

b) do not allow recursive queries from outside your trusted client network.