Scott Campbell of NERSC posted to the snort-devel mailing list today about his DNS preprocessor that is designed to detect DNS cache poisoning and DNS fast flux. His write-up on both features looks interesting and I hope to play with the preprocessor on my lab setup. Note that he recommends not running this in production because it is an early beta.
For full details check his write-up, but the following quotes explain that the preprocessor is checking three basic conditions for DNS cache poisoning:
The explanation of fast flux detection is a little more involved, and he also mentions that it will detect sites that are designed to behave in a similar way as fast flux, for example ntp.pool.org and chat.freenode.net.
- Multiple responses to a query where the DNS server IP and query name match, but the transaction ID varies.
- Multiple responses to a query where the DNS server IP, query name and transaction ID match.
- Unexpected responses where there is no observed question.
If I get the chance to play with the preprocessor, I will definitely document my experience.