RE: cache snooping attacks

[krymson () gmail com]

Google should deliver some good info by searching for cache snooping attack. But in case you don't have access to 
Google, a seminal paper by Luis Grangeia is available [1] along with other DNS topics [2]. (Ok, maybe not seminal, but 
he covered it so well, not much else needs to be said.)

In a nutshell, I ask your DNS server to resolve www.bankofamerica.com, but my request tells your DNS server not to look 
it up. It will consult its cache only. If it returns a value, that means someone who uses your DNS server has 
previously resolved the domain, most likely via web browsing.

How can I use this info? If I wanted to target you or your company specifically, I could find some sites your users 
visit (like www.bankofamerica.com in the example), spoof email to them that looks like it is from that site, and 
possibly trick your users into running an attachment, opening a rich email, or going to a link of my choosing.

Is DNS cache snooping a huge deal? Not really. It ranks up there with targeted and more exotic attacks. Unless you need 
to worry about corporate espionage or national security, I doubt this is of huge concern. However, as automation 
becomes more advanced and complex, this is an avenue that could someday be more used. Query a DNS server for a list of 
bank domains it has cached, then bulk spam people from the DNS domain and hope your scattershot hits someone valid, who 
also is gullible. Low yield, but once automated, could be enough to justify...


[1] http://www.sysvalue.com/papers/DNS-Cache-Snooping/files/DNS_Cache_Snooping_1.1.pdf

[2] http://www.dnssec.net/dns-threats


<- snip ->
tell me please, what is "dns cache snooping attacks" ?
Tell an example of the given attack?