DNS collector collection
Posted on Sun 20 October 2019 in Research
When I started to study Fast-Flux botnets in 2012, during my PhD, I was bit lost as I didn't really know where to start from. I remember, reading this paper from 2007 Know Your Enemy:
Fast-Flux Service Networks. By the time, Python and Java DNS libraries were pretty confusing to me. I was more confident with C and Perl, hence I had lots of code to parse DNS data from Day in the life of the Internet project.
To be honest, I got some inspiration from Duane Wessels and The Measurement Factory project. It was very challenging back that time. The majority of my code was based on Perl's library Net::DNS.
I decided to write a wrapper on top of Net::DNS I called Net::DNS::Simple, that made my life very easy. Trust me, parsing DNS traffic from DIG output is not that easy or funny.
With Net::DNS::Simple I could easily get DNS sections by calling get_answer_section, get_authorative_section, and get_additional_section. Those sections provide data used in many DNS research papers.
use Net::DNS::Simple;
use feature say;
use strict;
use warnings;
my %config = (
nameservers => ['8.8.8.8', '8.8.4.4'],
recurse => 1,
debug => 0
);
my $res = Net::DNS::Simple->new("kaiux.com", "A", %config);
#my $res = Net::DNS::Simple->new("yahoo.com", "A");
foreach my $entry ($res->get_answer_section()) {
say $entry;
}
# print all sections if needed
#print $res->print_domain();
During my research, I realized that not all DNS response had AUTHORITY and ADDITIONAL sections, as some domains enabled minimal responses. To overcome that scenario, the solution is to loop all NS-type from domain and ask for A-type.
Along Net::DNS::Simple I wrote additional tools such as:
Net-DNS-Reputation-TeamCymruNet-DNS-Reputation-HoneyProject
I am still cleaning old codes from my PhD research project. Recently, I published a better version of my DNSCollector code I used to retrieve data from malicious and legitimate domains. I am publishing all the codes I have in my GitHub page from now on.