Any tool to compare DNS results from several DNS servers?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Any tool to compare DNS results from several DNS servers?
Someone suggested what he called "dns pooling" as a countermeasure for those man-in-the-middle attacks that are based on DNS poisoning. His suggestion was to query several DNS servers and compare the results. If there's any difference, alert the user. Of course that would produce false alarms for any legitimate IP changes propagating in DNS networks. But it's better than nothing.
Are there any tools to automatically compare the results from several DNS servers, and alert for any difference?
Hmm, that is an interesting idea. The script at http://www.madboa.com/geek/dig/
has about 80-90% of the code done that would be needed. just reverse what is in the text file vs what is being queried.
Hmm, that is an interesting idea. The script at http://www.madboa.com/geek/dig/
has about 80-90% of the code done that would be needed. just reverse what is in the text file vs what is being queried.
As an enhancement, if all DNS servers in your pool agree on an entry, use it. If 90% (or whatever threshhold you set) agree, use it. If less than that threshhold agree, put it in a file for a human admin to check. Or perhaps find some way to record whether anyone on the network have requested that domain recently, and flag it for a human to respond to, and ignore those that no one has requested recently.
But if someone then does request one of those questionable domains, what then?
That's good. Any chance we could force all accesses to the internet from browsers, email clients etc, go through this check? Where would the script go, what system scripts would be edited?
That's good. Any chance we could force all accesses to the internet from browsers, email clients etc, go through this check? Where would the script go, what system scripts would be edited?
That kind of script used in the fashion you are asking about would have to go on your local DNS server. To be honest however I do not believe it would be robust enough to work really well. Especially if you are checking all outgoing DNS queries.. The script would have to edit your local DNS server cache as well. I believe that you would have all kinds of headaches doing this (although I dont pretend to be a DNS expert)..
Isn't it simpler to find the place in the system scripts where the 2 DNS servers that you specify with the gnome network manager are read and used one at a time, with the second one being read only if the first one fails? It would then be a very simple change of the script, to ask both DNS servers anyway, and also ask 5 more servers, and return successfully only if they all agree?
Isn't it simpler to find the place in the system scripts where the 2 DNS servers that you specify with the gnome network manager are read and used one at a time, with the second one being read only if the first one fails? It would then be a very simple change of the script, to ask both DNS servers anyway, and also ask 5 more servers, and return successfully only if they all agree?
How would you know if the first one failed? The idea here is to combat DNS poisoning, where a DNS server is intentionally given the wrong IP address for a site. How do you know the DNS server has been poisoned? By comparing it's answers against several other DNS servers to see if they all give the same answer.
I said you check them both and compare them. The bit about the first server failing etc was the description of what is currently going on in the linux scripts we want to edit (it fails if there's no dns server running at the address given).
I said you check them both and compare them. The bit about the first server failing etc was the description of what is currently going on in the linux scripts we want to edit (it fails if there's no dns server running at the address given).
But what if there is a DNS server running there, and it does give an IP address in response to a name query, but that IP address is wrong (i.e., it has been poisoned)?
Only by performing the same DNS query against multiple DNS servers would you have a reasonable chance of detecting the poisoning.
But what if there is a DNS server running there, and it does give an IP address in response to a name query, but that IP address is wrong (i.e., it has been poisoned)?
Then you start an LQ thread about this thing you saw online somewhere that is called DNS pooling (see OP).
Then you start an LQ thread about this thing you saw online somewhere that is called DNS pooling (see OP).
I agree...but this suggestion
Quote:
Isn't it simpler to find the place in the system scripts where the 2 DNS servers that you specify with the gnome network manager are read and used one at a time, with the second one being read only if the first one fails?
won't work because the first DNS query is successful...it returns a result. You just won't know if it's a poisonous result or not. That's the danger of DNS poisoning attacks...you trust the DNS server yet have no way to validate that trust.
You still do not understand the suggestion. The suggestion is to edit a computer program, part of the linux system and probably a script, that currently does the wrong thing, and the wrong thing that it does was described here:
Quote:
the 2 DNS servers that you specify with the gnome network manager are read and used one at a time, with the second one being read only if the first one fails?
The desired thing that we want was described here:
Quote:
ask both DNS servers anyway, and also ask 5 more servers, and return successfully only if they all agree?
Now does anyone know where linux implements the access to the list of DNS servers that you have specified with the gnome network manager, before querying the servers one at a time?
It should be an extremely simple change if linux does it with a script.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.