Skip to main content

Documentation Index

Fetch the complete documentation index at: https://none-38c466ad.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

The Resolution Layer governs DNS lookups, a subtle but highly discriminative detection surface. Adversaries often correlate resolver identity, refresh cadence, and query fan-out patterns to distinguish automated clients. A divergence between HTTP egress and DNS egress, or resolver sequences that deviate from population norms, can be sufficient for clustering. This layer enforces deterministic resolver selection, bounded caching, and structured fallback. Its role is to align DNS activity with the stealth guarantees provided by other layers, eliminating a common path for linkability.

5.1 Design Philosophy

Baseline approaches rely on system defaults or indiscriminate use of public resolvers. These create two characteristic leaks:
  • Path divergence: HTTP routed through one path while DNS remains local.
  • Population mismatch: resolver distributions that differ sharply from background traffic.
The Resolution Layer enforces alignment between DNS resolution and transport policy. Resolver sets are deterministic, cache lifetimes bounded, and fallback behavior structured. This ensures DNS traffic is both predictable and statistically plausible within the broader stealth envelope. Common pitfalls
  • Using local system defaults, leaking host identity
  • Splitting HTTP and DNS egress paths, creating divergence artifacts
  • Indiscriminate use of public resolvers outside population norms
  • Unbounded TTLs that yield stale answers and anomalous refresh patterns
  • Stochastic fallback behavior that produces inconsistent resolver logs

5.2 Resolver Invariant

Every lookup yields one of three outcomes:
  1. Answer returned and cached under bounded TTL.
  2. Explicit miss classified as NXDOMAIN, NoAnswer, or Timeout.
  3. Structured fallback to a secondary resolver set, with deterministic logging.
This preserves consistency while preventing silent or stochastic behavior that would mark automation.

5.3 Cache Model

Reconnaissance workloads exhibit high repetition in DNS queries. Without caching, repeated lookups amplify visibility; with caching, upstream query rates are reduced but stale answers risk misalignment. If lookups arrive with rate λ\lambda and cache TTL is TT, the expected hit probability is: Phit=1eλT.P_{\mathrm{hit}} = 1 - e^{-\lambda T}.
  • Larger TT increases hit rate but risks outdated answers.
  • Smaller TT preserves freshness but increases resolver exposure.
Parameters omitted by design. Deterministic cache adherence ensures behavior mirrors standard resolver practice, avoiding anomalous expiry patterns.

5.4 Resolve Flow

Resolution follows a staged process: query primary resolvers first, fallback if failure occurs, and cache any valid result. Errors are classified explicitly rather than dropped. Resolve Request

5.5 Integration with Other Layers

  • Timing Layer: DNS prefetch occurs during idle windows, minimizing visible bursts.
  • Concurrency Layer: bulk prefetch is rate-limited to prevent query storms, while cooldowns indirectly suppress DNS load.
  • Transport Layer: DNS and HTTP share the same egress path, eliminating split horizon leakage. Cache resets or refreshes occur on transport rotation.
  • Fingerprint Layer: observed resolver latencies and errors remain consistent with the expected profile of the fingerprint family.
These integrations maintain coherence across the stealth envelope, preventing DNS from drifting out of alignment with other request dimensions.

5.6 Formal Considerations

Let RpR_p denote the primary resolver set and RbR_b the backup set. For a query qq: resolve(q)={Ans(Rp,q),if primary succeedsAns(Rb,q),if primary failsNone,if all fail\text{resolve}(q) = \begin{cases} \text{Ans}(R_p, q), & \text{if primary succeeds} \\\\ \text{Ans}(R_b, q), & \text{if primary fails} \\\\ \text{None}, & \text{if all fail} \end{cases} where Ans(R,q)\text{Ans}(R, q) returns a valid response if available, caching it deterministically.

5.7 Operational Outcome

The Resolution Layer ensures that:
  • DNS lookups align with HTTP/TLS egress paths, preventing split horizon leakage.
  • Cache reduces correlation risk while avoiding anomalous expiry signals.
  • Fallbacks are structured, deterministic, and observable.
Resolution is thus transformed from a frequent linkage vector into a controlled, stealth-consistent process, aligned with timing, concurrency, and transport guarantees.