Security Consulting
  Unix Administration     Firewall     Intrusion Detection     Network Security     Hacking     MORE     HOME    

DNS

DNS Snooping

    dig @ns.switch.ch www.google.ch A +norecursive
In the result, check the 
ANSWER: x
output. If it's 0, the query was not in the cache. An ANSWER of one would show that te query was in the cache.
If only recursive queries are allowed, check for the TTL of the answer. If it's low or none of the known values, the answer was probably cached. Verify it with: 
    dig @ns.switch.ch www.google.ch A
This will show the initial TTLs.
Far more interesting is whether someone was querying for a non-existing DNS entry. You can check whether someone else has queried for a non-existing entry before: 
    dig @ns.your.domain www.nonextisting.com +norecursive
The query will result in a NXDOMAIN, a non-existent domain if the DN does not exist. Don't forget the forensic value of this! You can even determine when the domain was _first_ accessed. Is your competitor looking up your Web site?


CopyLeft (l) 2003 by Raffael Marty