-
Notifications
You must be signed in to change notification settings - Fork 22
/
README
249 lines (191 loc) · 8.39 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
/*
* Copyright (c) 2014-2021 by Farsight Security, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
Table of Contents:
* Introduction
* Dependencies needed
* Installing dependencies
* Building and installing
* Getting Started
* Background on ASINFO/CIDR lookups and annotations
Introduction:
This is a pure C99 program that accesses passive DNS database
systems such as:
* the DNSDB API server at Farsight Security
* the CIRCL pDNS server at Computer Incident Response Center
(LU)
An API key is required for operation. The command syntax was
inspired by a python script called dnsdb_query, but significant
departure has occured, largely inspired by a modern understanding
of "time fencing" and a desire for new features such as CSV output
and JSON reprocessing.
NOTE: Prior to version 2.5.3, the default pDNS system supported
was Farsight Security APIv1, and it was called "dnsdb". As of
version 2.5.3, the default system is Farsight Security APIv2 and
system "dnsdb2" is synonymous with "dnsdb". For APIv1, specify
"dnsdb1" using the command line -u option or the DNSDBQ_SYSTEM
variable.
Dependencies needed:
jansson (2.5 or later)
libcurl (7.28 or later)
modern compiler (clang or GCC)
Installing dependencies:
On Debian 8 Linux:
apt-get install libcurl4-openssl-dev
apt-get install libjansson-dev
On CentOS 6 Linux:
# Based on PHP instructions for installing libcurl...
wget http://curl.haxx.se/download/curl-7.28.1.tar.gz
tar xvzf curl-7.28.1.tar.gz
cd curl-7.28.1/
./configure --with-libssh2 --enable-ares=/usr/local/ --enable-ipv6
make
make install
# lib jansson
wget http://www.digip.org/jansson/releases/jansson-2.5.tar.gz
tar -xpzf jansson-2.5.tar.gz
cd jansson-2.5
./configure
make
make install
echo /usr/local/lib >> /etc/ld.so.conf.d/local.conf
ldconfig
On CentOS 7 Linux:
yum install libcurl-devel.x86_64
yum install jansson-devel.x86_64
yum install centos-release-scl
yum install devtoolset-8
scl enable devtoolset-8 bash
# do the build from that bash
On CentOS / AlmaLinux / Rocky Linux 8:
dnf install gcc jansson.x86_64 jansson-devel.x86_64 libcurl-devel.x86_64
On FreeBSD 10:
pkg install curl jansson
On macOS:
brew install jansson
On Amazon Linux 2023 (AWS Ec2):
# A plain vanilla Amazon Linux AMI comes with with curl-minimal, and 'make' will
# fail with an error that curl/curl.h is not found. Installing the following packages
# will allow dnsdbq to compile on a fresh Amazon Linux 2023 AMI:
yum install make
yum install git
yum install gcc
yum install libcurl-devel
yum install jansson-devel
Building and installing:
(Assumes you have "git")
git clone https://github.com/dnsdb/dnsdbq.git
cd dnsdbq
make install clean
On FreeBSD, you may need to remove -lresolv in the LIBS line of
the Makefile.
On macOS on Apple M1 processors, Homebrew now defaults to be
installed in /opt/homebrew instead of /usr/local. If that is the
case on your system, in the Makefile, uncomment the line
#JANSBASE=/opt/homebrew
On macOS, if you want an almost static dnsdbq binary on macOS,
that is, one with minimal non-System library dependencies, you can
rebuild dnsdbq with a static jansson library. That binary could
then be deployed on any identical macOS version and architecture.
1. Find the static jansson library, probably as installed by brew
/usr/local/lib/libjansson.a or /opt/homebrew/lib/libjansson.a
2. Change the Makefile's line
JANSLIBS = -L$(JANSBASE)/lib -ljansson
to instead specify the static library location, probably to:
JANSLIBS = $(JANSBASE)/lib/libjansson.a
3. Then run make
Getting Started:
Add the API key to ~/.dnsdb-query.conf in the below given format,
APIKEY="YOURAPIKEYHERE"
If you're interested in purchasing a Farsight DNSDB subscription,
please contact [email protected]. Farsight also has a
grant program for selected researchers, investigative journalists,
and cybersecurity workers at some public benefit non-profits.
See https://www.farsightsecurity.com/grant-access/
Here's an example query and output after dnsdbq is compiled:
$ ./dnsdbq -r farsightsecurity.com/A -l 1
;; record times: 2013-09-25 15:37:03 .. 2015-04-01 06:17:25 (~1y ~187d)
;; count: 6350; bailiwick: farsightsecurity.com.
farsightsecurity.com. A 66.160.140.81
Background on ASINFO/CIDR lookups and annotations:
Annotating IP addresses with ASN information can help an analyst
focus their attention on unusual or unexpected ASNs (for example,
perhaps a domestic US corporation's IP address inexplicably ended
up being originated by a foreign consumer ISP).
This code has been tested against three sources of ASN information,
each of which are valid arguments to the -D parameter.
1. asn.routeviews.org (the default value for the -D parameter).
Given an IPv4 in reverse order, this returns a space
separated three-tuple:
"ASN" "CIDR prefix" "prefix length"
For badly formatted addresses, it returns:
"4294967295" "0" "0"
For unknown addresses, it returns no answers.
Examples:
$ dig +short 34.168.254.125.asn.routeviews.org TXT
"23724" "125.254.168.0" "21"
$ dig +short a.b.c.d.asn.routeviews.org TXT
"4294967295" "0" "0"
$ dig +short 0.0.0.128.aspath.routeviews.org TXT
$
2. aspath.routeviews.org
The same as asn.routeviews.org, except it returns a
three-tuple: AS path, CIDR prefix, prefix length.
Examples:
$ dig +short 0.0.0.4.aspath.routeviews.org TXT
"3303 3356" "4.0.0.0" "9"
3. origin.asn.cymru.com
Given an IPv4 in reverse order, this returns a pipe-separated
five-tuple:
ASN | CIDR prefix/prefix length | CC | Registry | Allocated date
Example:
$ dig +short 0.0.0.4.origin.asn.cymru.com TXT
"3356 | 4.0.0.0/9 | US | arin | 1992-12-01"
Function asinfo_from_dns() in asinfo.c has specific code to parse
those formats. asn.routeviews.org and aspath.routeviews.org do
not currently handle IPv6 addresses properly, so dnsdbq does not
support IPv6 annotation now.
There is a complication that arises when doing those sort of IP to
ASN mappings, however: publicly available IP to ASN zones are
based on currently observed IP to ASN mappings, while the IPs that
are being mapped may have been seen in passive DNS months or even
years earlier, when that IP may have been originated by a
different ASN.
Often the IP to ASN mappings are quite static, in which case
historical IPs will map just fine using the current IP to ASN
data. On the other hand, some IPs may have been hijacked and used
without authorization, or transferred, or otherwise ended up going
from one ASN to another.
Therefore the IP to ASN mapping should be viewed as an
experimental best effort feature, and interpreted with care.
In addition to the issue of potential ASN misalignment, the size
and origin of the reported origin IP and prefix length may also
have changed over time. For example, a /19 may have been
de-aggregated into a set of more specific /24's. Again, we report
the state of the world as it is currently seen by the service used
for the IP to ASN mapping.
Other miscellaneous notes:
* dnsdbq does not support mapping IPv6 addresses to ASNs at this
time.
* In the case of Multiple Origin ASNs, typically IP to ASN
services will report one of the multiple ASNs; other origin
ASNs may also exist but not be reported.
* We do not map ASNs to their owner or the owner description
string. Please see WHOIS for information about the entity
currently assigned a given ASN.
We welcome feedback on this feature. Do you use it and find it
useful? Are there IP-to-ASN service providers we've inadvertently
omitted? Share your feedback by writing