[textmode]

"--norecurse Useful for DNS cache snooping"

Not if the resolver rejects non-recursive queries, as do dnscache and dqcache.

There is a way to resolve DNS domainnames to IP addresses using only non-recursive queries. I do it everyday.

But I've never seen anyone release any program that did this. Your program does not even attempt to do this -- you need to send the queries to authoritative nameservers not public resolvers. But you used the term "non-recursive" so I thought maybe someone had finally tried.

One of the shortcomings of DNS IMO is that the specification allows for the possibility of including more than one name in a query. But no one has ever implemented this, as far as I know.

Despite the design of the DNS, most of the information stored in it is more static than dynamic, and much of it is centralized. Most dommainnames do not change IP addresses very often and there are very large numbers of domainnames sharing the same authoritative nameservers.

[blechschmidt]

For DNS cache snooping the usage would of course be different. You would supply the tool with one resolver which does not reject non-recursive queries. Theoretically, one could even perform traffic analyses of DNS resolvers by snooping.

Having implemented the --norecurse option, the title is at least not wrong anymore. One can have non-recursive, non-iterative resolver (which is what you use when you want to perform DNS cache snooping) and the title does not suggest that the tool supports iterative lookups.

Handling multiple questions within one packet is difficult because response codes such as NXDOMAIN are only included once per packet. AFAIK, bind does not support handling such queries.

[textmode]

"AKAIK, bind does not support handling such queries."

AKAIK, there is not a server in existence that handles such queries.

Cache snooping is not very reliable. I tested the 999 open resolvers listed in resolvers.txt for example.com and only 643 of them returned an answer. 13 of those answers were fake.

Moreover, there are at least hundreds of thousands of domainnames that will not be in any given cache.

Finally, most internet users are probably not using open resolvers. They are more likely using the ones provided by their ISP, which are not open.

Anyway, I doubt anyone is ever going to release a non-recursive resolver.

I have my own solution which is too embarrasing to release but I can tell you it is usually faster than a recursive resolver if the cache is not already primed with the right records.

To me, "non-recursive" resolution means something specific -- no use of DNS caches. And because of that there's no risk of "cache poisoning".