DNS-based Network Fingerprinting

Internet connected devices make use of the Domain Name System, short DNS, to translate human readable domain names into IP addresses. Since DNS is unencrypted, often outsourced, and used prior to most network connections, it is possible to fingerprint the software that initializes such connections, by passively monitoring DNS traffic.

DONUT, short for Domain Oriented Network Unmasking Tool, is a system for fingerprinting device types, operating systems, applications, and network structures based on DNS traffic. It is extensible, modular, and uses a rule-based approach to detect software specific fingerprints, which allows to easily extend its database. In addition to fingerprinting software, DONUT is able to detect NAT configurations and, to a certain extent, de-NAT DNS traffic.

Our current work focuses on extending fingerprinting rules, improving De-NATing, automating the analysis of software for fingerprint generation, and evaluating other approaches for fingerprinting also using other protocols or flows, for example using machine learning techniques.

h1

h2

h3

h4

h5

h6

Research Group IT-Security

Faculties and Institutions

RWTH

Faculties and Institutes

Find Institute:

Institutions

Navigation

Sub-Navigation

DNS-based Network Fingerprinting

Footer

RWTH

Services

Other Resources

Institutions

h1

h2

h3

h4

h5

h6

You Are Here:

DNS-based Network Fingerprinting

Footer

RWTH

Services

Other Resources

Institutions