en en

DNS collector collection

Posted on Sun 20 October 2019 in Research

When I started to study Fast-Flux botnets in 2012, during my PhD, I was bit lost as I didn't really know where to start from. I remember, reading this paper from 2007 Know Your Enemy: Fast-Flux Service Networks. By the time, Python and Java DNS libraries were pretty confusing to me. I was more confident with C and Perl, hence I had lots of code to parse DNS data from Day in the life of the Internet project.

To be honest, I got some inspiration from Duane Wessels and The Measurement Factory project. It was very challenging back that time. The majority of my code was based on Perl's library Net::DNS.

I decided to write a wrapper on top of Net::DNS I called Net::DNS::Simple, that made my life very easy. Trust me, parsing DNS traffic from DIG output is not that easy or funny.

With Net::DNS::Simple I could easily get DNS sections by calling get_answer_section, get_authorative_section, and get_additional_section. Those sections provide data used in many DNS research papers.

use Net::DNS::Simple;
use feature say;
use strict;
use warnings;

my %config = (
        nameservers => ['', ''],
        recurse => 1,
        debug => 0

my $res = Net::DNS::Simple->new("kaiux.com", "A", %config);
#my $res = Net::DNS::Simple->new("yahoo.com", "A");

foreach my $entry ($res->get_answer_section()) {
    say $entry;

# print all sections if needed
#print $res->print_domain();

During my research, I realized that not all DNS response had AUTHORITY and ADDITIONAL sections, as some domains enabled minimal responses. To overcome that scenario, the solution is to loop all NS-type from domain and ask for A-type.

Along Net::DNS::Simple I wrote additional tools such as:

  • Net-DNS-Reputation-TeamCymru
  • Net-DNS-Reputation-HoneyProject

I am still cleaning old codes from my PhD research project. Recently, I published a better version of my DNSCollector code I used to retrieve data from malicious and legitimate domains. I am publishing all the codes I have in my GitHub page from now on.