DNS-based Network Fingerprinting
Internet connected devices make use of the Domain Name System, short DNS, to translate human readable domain names into IP addresses. Since DNS is unencrypted, often outsourced, and used prior to most network connections, it is possible to fingerprint the software that initializes such connections, by passively monitoring DNS traffic.
DONUT, short for Domain Oriented Network Unmasking Tool, is a system for fingerprinting device types, operating systems, applications, and network structures based on DNS traffic. It is extensible, modular, and uses a rule-based approach to detect software specific fingerprints, which allows to easily extend its database. In addition to fingerprinting software, DONUT is able to detect NAT configurations and, to a certain extent, de-NAT DNS traffic.
Our current work focuses on extending fingerprinting rules, improving De-NATing, automating the analysis of software for fingerprint generation, and evaluating other approaches for fingerprinting also using other protocols or flows, for example using machine learning techniques.