Re: [dns-wg] Elimination of 2nd level ccTLD domain names
"Brad" == Brad Knowles <brad@stop.mail-abuse.org> writes:
# perl fpdns.pl udns1.ultradns.net udns2.ultradns.net fingerprint (udns1.ultradns.net, 204.69.234.1): UltraDNS v2.7.0.2 -- 2.7.3 fingerprint (udns2.ultradns.net, 204.74.101.1): UltraDNS v2.7.0.2 -- 2.7.3
Brad> That doesn't necessarily mean anything. If they had Brad> been a large customer of Nominum, they could easily be Brad> running code that generated a different fingerprint. Nope. Roy and Jakob's tool can already fingerprint Nominum's DNS implementations. And just about anyone else's for that matter. Besides, I very much doubt if anyone would create a code fork and all the aggravation flowing from that -- support overheads, regression testing, documentation, software maintenance, etc -- just to confuse a fingerprinting tool. And of course the tool could easily be updated to take account of any obfuscation like that. Why would anyone choose to enter that zero-sum game? Brad> When it comes to this sort of thing, I trust Brad> information from people who have extensive background Brad> information (such as Jim) than I do fingerprints. You'll be much better off to trust this fingerprinting tool than depend on my memory. :-)
At 9:39 PM +0100 2004-10-25, Jim Reid wrote:
Nope. Roy and Jakob's tool can already fingerprint Nominum's DNS implementations. And just about anyone else's for that matter.
I know about fpdns.pl. I was using it before it was officially released. Early discussions with Roy lead to the very gross fingerprinting methods I used in my DNS Comparison presentation that I gave at LISA 2002 and RIPE 44. None of that is to say that someone couldn't come along and make some modifications to the code that one of these programs runs, which would result in a different fingerprint being generated. If they then called this program by a totally different name, it might not be easy to tell that it's just a relatively minor modification to an existing program already in the database.
Besides, I very much doubt if anyone would create a code fork and all the aggravation flowing from that -- support overheads, regression testing, documentation, software maintenance, etc -- just to confuse a fingerprinting tool.
It wouldn't necessarily take a big change in the code to result in a change to the fingerprint. If a customer is large enough and pays enough money, who's to say that even large changes wouldn't be made to the code, if the customer requested them?
And of course the tool could easily be updated to take account of any obfuscation like that. Why would anyone choose to enter that zero-sum game?
Sure, but you have to know that there is obfuscation before you can try to compensate for it. So long as word never got out, people would not necessarily be likely to figure out what's going on.
You'll be much better off to trust this fingerprinting tool than depend on my memory. :-)
The tool is very robust and encodes a great deal of very useful information, but I think you do not give yourself enough credit. -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
participants (2)
-
Brad Knowles -
Jim Reid