Any tool to compare DNS results from several DNS servers?
 

Someone suggested what he called "dns pooling" as a countermeasure for those man-in-the-middle attacks that are based on DNS poisoning. His suggestion was to query several DNS servers and compare the results. If there's any difference, alert the user. Of course that would produce false alarms for any legitimate IP changes propagating in DNS networks. But it's better than nothing.

Are there any tools to automatically compare the results from several DNS servers, and alert for any difference?

Hmm, that is an interesting idea. The script at http://www.madboa.com/geek/dig/
has about 80-90% of the code done that would be needed. just reverse what is in the text file vs what is being queried.

As an enhancement, if all DNS servers in your pool agree on an entry, use it. If 90% (or whatever threshhold you set) agree, use it. If less than that threshhold agree, put it in a file for a human admin to check. Or perhaps find some way to record whether anyone on the network have requested that domain recently, and flag it for a human to respond to, and ignore those that no one has requested recently.

But if someone then does request one of those questionable domains, what then?

That's good. Any chance we could force all accesses to the internet from browsers, email clients etc, go through this check? Where would the script go, what system scripts would be edited?

That kind of script used in the fashion you are asking about would have to go on your local DNS server. To be honest however I do not believe it would be robust enough to work really well. Especially if you are checking all outgoing DNS queries.. The script would have to edit your local DNS server cache as well. I believe that you would have all kinds of headaches doing this (although I dont pretend to be a DNS expert)..

Isn't it simpler to find the place in the system scripts where the 2 DNS servers that you specify with the gnome network manager are read and used one at a time, with the second one being read only if the first one fails? It would then be a very simple change of the script, to ask both DNS servers anyway, and also ask 5 more servers, and return successfully only if they all agree?

How would you know if the first one failed? The idea here is to combat DNS poisoning, where a DNS server is intentionally given the wrong IP address for a site. How do you know the DNS server has been poisoned? By comparing it's answers against several other DNS servers to see if they all give the same answer.

I said you check them both and compare them. The bit about the first server failing etc was the description of what is currently going on in the linux scripts we want to edit (it fails if there's no dns server running at the address given).

But what if there is a DNS server running there, and it does give an IP address in response to a name query, but that IP address is wrong (i.e., it has been poisoned)?

Only by performing the same DNS query against multiple DNS servers would you have a reasonable chance of detecting the poisoning.

Then you start an LQ thread about this thing you saw online somewhere that is called DNS pooling (see OP).

I agree...but this suggestion

won't work because the first DNS query is successful...it returns a result. You just won't know if it's a poisonous result or not. That's the danger of DNS poisoning attacks...you trust the DNS server yet have no way to validate that trust.

You still do not understand the suggestion. The suggestion is to edit a computer program, part of the linux system and probably a script, that currently does the wrong thing, and the wrong thing that it does was described here:
The desired thing that we want was described here:

Now does anyone know where linux implements the access to the list of DNS servers that you have specified with the gnome network manager, before querying the servers one at a time?

It should be an extremely simple change if linux does it with a script.

Hi,
You can compare DNS records at-

http://sharontools.com

Happy to help,
Dave