Wednesday, December 21, 2005

dnstracer

dnstracer is an interesting tool. It traces information from DNS back to its source. It does this by using non-recursive queries. In other words, if you tell it to trace "shmoocon.org", it'll return the following interesting data:


Tracing to shmoocon.org[a] via 68.10.16.25, maximum of 3 retries
68.10.16.25 (68.10.16.25)
|\___ TLD3.ULTRADNS.org [org] (199.7.66.1)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) Got authoritative answer
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) Got authoritative answer
|\___ TLD2.ULTRADNS.NET [org] (204.74.113.1)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
|\___ TLD1.ULTRADNS.NET [org] (204.74.112.1)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
|\___ TLD1.ULTRADNS.NET [org] (2001:0502:d399:0000:0000:0000:0000:0001) send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
* send_data/sendto: Network is unreachable
*
|\___ TLD6.ULTRADNS.CO.UK [org] (198.133.199.11)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
|\___ TLD5.ULTRADNS.INFO [org] (192.100.59.11)
| |\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
| \___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)
\___ TLD4.ULTRADNS.org [org] (199.7.67.1)
|\___ ns0.directnic.com [shmoocon.org] (204.251.10.100) (cached)
\___ ns1.directnic.com [shmoocon.org] (204.13.172.154) (cached)

While it shows that there may be a problem with TLD1 (this is likely to be a problem with the tool's ability to handle IPv6 data rather than the server), you can see that the tool queries all of the DNS servers that are known to have the data. (68.10.16.25 is the IP of a DNS server local to me). This tool also has the ability to detect lame DNS servers (those that are supposed to know the answer but don't)(think misconfigured or damaged secondaries).

If anyone is really proficient with this tool, please contact me. I'd like to know if it is useful in detecting record poisoning.