[Bro-Dev] #769: Detect non-caching recursive resolvers
Bro Tracker
bro at tracker.bro-ids.org
Wed Feb 15 08:36:02 PST 2012
#769: Detect non-caching recursive resolvers
-----------------------------+------------------------
Reporter: seth | Owner: seth
Type: Feature Request | Status: new
Priority: Normal | Milestone:
Component: Bro | Version: git/master
Keywords: |
-----------------------------+------------------------
Two steps to this...
- Detect recursive resolvers. This should probably be added to the
intelligence framework so that it could be autodetected and people could
add their own locally known information to it. We should be able to
detect them by watching for lots of authoritative requests but there are
probably other indicators we could use as well.
- Occasionally grab or define certain host names with reasonably long TTLs
(a day?) and watch for the same recursive resolver to make a request for
that same hostname within the TTL. This should identify if resolvers
aren't caching results which is frequently an interesting data point or at
least something to go and fix.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/769>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list