Introduction
Because Farsight Security, Inc. (FSI) arose from the domain name system (DNS)community, a lot of DNS-related “terms of art” end up getting casually thrownaround. These terms allow for very precise conversations among colleagues, butcan end up sounding like jargon and confuse (rather than inform) those whoseexpertise may be in another area.
For example, consider “RRset” vs. “Rdata.” Those terms are routinelyused in conjunction with FSI’s Passive DNS database, DNSDB(tm) and arediscussed on the DNSDB info page.We could talk about what “RRset” and “Rdata” mean based on their description inRFC1034, the November 1987 “DomainNames Concepts and Facilities” document that was written by Dr. PaulMockapetris, one of Farsight Security’s Board Members, but let’s try adifferent, “more hands-on” approach.
Why try a hands-on approach? Well, many of you are working cybersecuritypeople who are investigating cyberincidents. You’re not “DNS people,” and youdon’t want to become DNS people, and you may not even care what things arecalled. Instead, you just want to be able to take what you’ve already got(perhaps a domain name or an IP address of interest), and use DNSDB to follow those leadsin useful ways.
That’s entirely reasonable.
So, if you have a domain name or an IP address, what can you do with FarsightSecurity’s DNSDB? And can we figure out what “RRset” vs. “Rdata” means by a bitof trial and error?
If you’re a relatively new DNSDB subscriber, you may find using the webinterface to query DNSDB suits your needs. However, most day-in-day-out DNSDBusers prefer the
python command line client instead. (We’ll talk about the
dnsdb_query.py
client below, but much of what we’ll say will be equally applicable to the webinterface.)
When querying DNSDB with
dnsdb_query.py
, you have a choice of three queryoptions:
-r
- : to query the RRset
-n
- : to query the Rdata by name
-i
- : to query the Rdata by IP address (or by CIDRnetblock)
What
dnsdb_query.py
does on your behalf, and the output you receive, dependson which of those three options you specify. But which option should youchoose?
Your options are actually narrower than you might think:
- If you have an IP address (or CIDR netblock), you’ll always use
-i, sincethat’s the only option that will work with an IP address. - If you have a domain name, you’ll use either
-ror
-n
- .
So how do you know which to use?
If you’re not sure, you can always try using both and see which one works bestfor your needs, but we can also give you some guidance to help you select thebest option as a matter of judgment rather than trial and error.
Let’s start by considering
-r
queries.
RRset Queries
Performing a
-r
query for “A records” associated with the host
www.farsightsecurity.com
, we see:
1 $ dnsdb_query.py -r www.farsightsecurity.com/A
2 ;; bailiwick: farsightsecurity.com.
3 ;; count: 4,329
4 ;; first seen: 2013-09-25 20:02:10 -0000
5 ;; last seen: 2015-01-28 17:16:11 -0000
6 www.farsightsecurity.com. IN A 66.160.140.81
7 ;; bailiwick: farsightsecurity.com.
8 ;; count: 164
9 ;; first seen: 2013-07-01 17:37:26 -0000
10 ;; last seen: 2013-09-24 17:14:08 -0000
11 www.farsightsecurity.com. IN A 149.20.4.207
Substantively, lines 6 and 11 indicate that
www.farsightsecurity.com
hasresolved to the IPv4 addresses
66.160.140.81
and
149.20.4.207
.
If we scrutinize the output from that command more closely, we can see that therecords returned for that query contain
www.farsightsecurity.com
on the“left-hand side” of the DNS records. That is:
www.farsightsecurity.com IN A 66.160.140.81
^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^
Left-hand side Right-hand side
As illustrated above,
IN A
in this case is the “split” or “dividing point”between what’s “on the left-hand side” and what’s “on the right-hand side”.This “stuff on the left-hand side” and “stuff on the right-hand side” conceptis fundamental to the difference between RRset queries and Rdata queries:
- When you make RRset queries (
-r), you’re searching DNSDB for matches inthe “left-hand side” of DNSDB DNS records - When you make Rdata queries (
-nor
-i
- ), you’re searching DNSDB formatches in the “right-hand side” of DNSDB DNS records
A couple more quick notes about
-r
queries:
- While we searched for an exact match (e.g.,
www.farsightsecurity.com), wecould also have searched for a wildcard match, such as
*.farsightsecurity.com
- , which would have matched a far wider range ofrecords. By using a wildcard query, we’ll find many different hosts that arepart of the
farsightsecurity.com
- domain name space, but the
-r
- query willstill only search the “left-hand side” part of the DNS records in the DNSDBdatabase.
- In our original
-rsearch, we specifically asked to just see the A recordsthat DNSDB knew about for
www.farsightsecurity.com
- ; if we’d omitted the
/A
- from the end of the query string, we would have seen ALL the different sorts ofrecords that DNSDB knows about which could include AAAA, MX, or CNAME records.Sometimes a wider range of records is quite helpful, other times those extrarecords returned are just distracting noise.
Rdata Queries for domain names
Now it’s time to see a
-n
query for
www.farsightsecurity.com
:
$ dnsdb_query.py -n www.farsightsecurity.com
81.64-26.140.160.66.in-addr.arpa. IN PTR www.farsightsecurity.com.
This query matches only a single DNSDB record that has
www.farsightsecurity.com
on the “right-hand side.”
We know that you may be somewhat underwhelmed by the single result from oursample
-n
query — that’s because we only asked about one specific host,
www.farsightsecurity.com
.
-n
queries tend to be particularly useful if they’re made about a known DNSserver rather than just a run-of-the-mill average host name.
DNS servers map domain names to IP addresses, and they’re defined via DNS“NS records”, with the name of the name server on the “right-hand side,”.That’s perfect for
-n
queries.
For instance, if we make a
-n
query for a sample university name server, inthis case
phloem.uoregon.edu
,
dnsdb_query.py
returns a list of over 1,500domain names that DNSDB knows about, all of which rely on
phloem.uoregon.edu
for name service:
$ dnsdb_query.py -n phloem.uoregon.edu/NS
uoregon.biz. IN NS phloem.uoregon.edu.
maoz.com. IN NS phloem.uoregon.edu.
...
Major name servers may answer for even more domains — sometimes for hundredsof thousands of domains, or even more. By default,
dnsdb_query.py
will tellyou about 10,000 records, but you can get up to a million records if you usethe
-l
(record limit) command, e.g.:
$ dndsb_query.py -l 1000000 [other options here]
Rdata Queries for IP addresses
-i
queries are used to find DNSDB records matching a specific IP address. Ifwe issue the query:
$ dnsdb_query.py -i 149.20.4.207
farsightsecurity.com. IN A 149.20.4.207
www.farsightsecurity.com. IN A 149.20.4.207
DNSDB is searched and returns two matches for that IP address, both based onIP addresses found in “right-hand side data.” The
-i
right-hand side query isjust like the
-n
query discussed above, except that the
-i
query issearching for IP addresses, not domain names.
-i
queries can also be used to return all records that match a CIDR netblock. For example:
$ dnsdb_query.py -i 128.223.17.0/24
d17-86.uoregon.edu. IN A 128.223.17.86
d17-87.uoregon.edu. IN A 128.223.17.87
d17-88.uoregon.edu. IN A 128.223.17.88
d17-89.uoregon.edu. IN A 128.223.17.89
...
You might ask, “but what if I want to search the left-hand side of the recordsin the DNSDB database for an IP address?” The answer there is, “You can’t.”
Why? There’s no such thing as an “IP address-only left-hand side” in DNSDBrecords. :-) There are some DNS records that are CLOSE to being all numeric onthe left-hand side, but even those inverse address records are actually names(“labels”), not just IP addresses, so you’d search for them with a
-r
query,just as you would search for any other “left-hand side” label.
Leveraging the dnsdb_query C-language Client for making bulk RRset and Rdata queries
In addition to the dnsdb_query.py (Python) client shown in the precedingexample, FSI also offers a C-language dnsdb_query client
The C-language client is particularly noteworthy for allowingbatch file input, while also supporting conventional
-r
,
-n
, and
-i
arguments on the command line.
If you’re going to use the C-language client’s batch input file option,
-f
,your batch input file can have three different sorts of queries:
rrset/name/NAME[/TYPE[/BAILIWICK]]
rdata/name/NAME[/TYPE]
rdata/ip/ADDR[/PFXLEN]
If you’ve been following along to this point, you should be able to easilytranslate or decode what those three types of queries represent:
rrset/name/NAME
- represents the “batch” version of a
-r
- query, lookingat domain name-related labels matches on the LEFT-hand side
rdata/name/NAME
- represents a
-n
- query, looking at DOMAIN NAME-relatedresults matches on the RIGHT-hand side
rdata/ip/ADDR
- represents a
-i
- query, looking at IP ADDRESS-relatedresults matches on the RIGHT-hand side
For example, you might create a file called temp-input.txt that has the lines:
rrset/name/\*.wikipedia.org
rrset/name/\*.dmoz.org
rdata/name/\*.pbs.org
rdata/name/\*.opb.org
rdata/ip/198.35.26.96
rdata/ip/23.21.237.247
...
and then run that through the C-language client’s batch input file submissionoption by saying:
$ dnsdb_query -f < temp-input.txt > temp-output.txt
Another unique feature of the C-language client is that it supportscomma-separated value (“CSV”) format output. While the default text-formatoutput is easy to visually scan, CSV format output makes it easy to importDNSDB output into Microsoft Excel and other applications that consumeCSV-format data files.
To request CSV-format output, simply add
-p csv
to the dnsdb_query commandyou’d otherwise enter.
Pretty convenient and easy, now that you know how to interpret RRset and Rdata!
Conclusion
The best way to become more familiar with the power of DNSDB and
dnsdb_query.py
is by trying it with some queries of your own. We hope youenjoy the experience!
Not currently a DNSDB subscriber? Want to know more? Please contact [email protected] or visit ourOrder pagefor information about how to purchase access to DNSDB.
Joe St. Sauver is a Distributed Research Scientist for Farsight Security, Inc.
Heading
