[Bro-Dev] #769: Detect non-caching recursive resolvers

Bro Tracker bro at tracker.bro-ids.org
Wed Feb 15 08:36:02 PST 2012


#769: Detect non-caching recursive resolvers
-----------------------------+------------------------
 Reporter:  seth             |      Owner:  seth
     Type:  Feature Request  |     Status:  new
 Priority:  Normal           |  Milestone:
Component:  Bro              |    Version:  git/master
 Keywords:                   |
-----------------------------+------------------------
 Two steps to this...

 - Detect recursive resolvers.  This should probably be added to the
 intelligence framework so that it could be autodetected and people could
 add their own locally known information to it.  We should be able to
 detect them by watching for lots of authoritative requests but there are
 probably other indicators we could use as well.

 - Occasionally grab or define certain host names with reasonably long TTLs
 (a day?) and watch for the same recursive resolver to make a request for
 that same hostname within the TTL.  This should identify if resolvers
 aren't caching results which is frequently an interesting data point or at
 least something to go and fix.

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/769>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list