[nsp-sec] DNS flow data

[Florian Weimer]

Hi,

would anyone willing to share some DNS Netflow data (non-sampled at
the packet level) for a small project of mine?  I'm just interested in
typical numbers of packets per flow, both for stub -> recursor and for
recursor -> authoritative requests.  IP addresses can be fully
anonymized, as long as the stub/recursor/authoritative distinction is
preserved.  I can provide a Perl script which does this based on CIDR
data of clients and recursors.

This data is a quick way to check if DNS source port randomization may
have an adverse impact.  If most DNS traffic already is in a "one
packet per flow" category from a Netflow perspective, this isn't
something to worry about.  Our own DNS traffic is a bit inconclusive
in this regard, but it's also not representative of the network in
general anyway.

Success stories about turning on port randomization are welcome,
too--but I'm worried about folks who put stateful middleboxes in front
of their resolvers, and such configurations are rare in SP
environments, I guess.

Florian
-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99