Alternatives to Passive DNS Replication

This document lists some alternatives to passive DNS replication (and the existing sensor network) which are feasible for some applications.

Top-Level Zone Access

Most generic top-level domain operators are under contractual obligation by ICANN to publish their zone files. Below is a list of such zone file access programs.

After signing a rather permissive contract, you can download zone file data. Because name server data is included (in the form of NS records), the data is suited to correlating domain name servers as-is (but not for much more). The data set seems to of a size which is amenable to processing with standard UNIX tools (sort, comm, grep) and free SQL databases such as PostgreSQL or MySQL. Of course, the COM is a close call in this respect.

Note: The author of this document does not participate in any of the zone file access programs, and does not have access to these zone files. The information in the preceding paragraph is based on hearsay.

Running your own sensors and collectors

Source code of an older version of the dnslogger software has been published. This version is no longer supported and is known to be less scalable than the current one.

Licensing options for the current software are currently being worked out. To prevent fragmentation of the existing sensor network, prior to a release, a distributed WHOIS server has to be implemented. This is expected for Q3 2005.

Buying the data

Some companies offer subscription services which allow query access to top-level zone files and data derived from them (e.g. A records for host names of the form example.com and www.example.com). While these services have a focus different from passive DNS replication, they might be able to fulfill your needs.

In contrast, access to the passive DNS replication database is not available for sale.

Access to the existing database

Access to the existing database is granted to trusted individuals in the network service provider security community, or to trusted sensor operators. The data is intended to serve as an additional guide in global threat mitigation (A RR recovery, estimates of collateral damage). It is not intended as a general data mining source for all kinds of blacklist (unsolicited bulk email, other forms of unsolicited advertizing, pornography and other content not compatible with local community standards).

Revisions


Florian Weimer
Home Blog (DE) Blog (EN) Impressum RSS Feeds