File: README

package info (click to toggle)
dnsdbq 2.6.8-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 360 kB
  • sloc: ansic: 4,636; makefile: 238
file content (249 lines) | stat: -rw-r--r-- 8,587 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
 
/*
 * Copyright (c) 2014-2021 by Farsight Security, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

Table of Contents:

    * Introduction
    * Dependencies needed
    * Installing dependencies
    * Building and installing
    * Getting Started
    * Background on ASINFO/CIDR lookups and annotations

Introduction:

    This is a pure C99 program that accesses passive DNS database
    systems such as:
	* the DNSDB API server at Farsight Security
	* the CIRCL pDNS server at Computer Incident Response Center
	  (LU)

    An API key is required for operation. The command syntax was
    inspired by a python script called dnsdb_query, but significant
    departure has occured, largely inspired by a modern understanding
    of "time fencing" and a desire for new features such as CSV output
    and JSON reprocessing.

    NOTE: Prior to version 2.5.3, the default pDNS system supported
    was Farsight Security APIv1, and it was called "dnsdb".  As of
    version 2.5.3, the default system is Farsight Security APIv2 and
    system "dnsdb2" is synonymous with "dnsdb".  For APIv1, specify
    "dnsdb1" using the command line -u option or the DNSDBQ_SYSTEM
    variable.


Dependencies needed:
    jansson (2.5 or later)
    libcurl (7.28 or later)
    modern compiler (clang or GCC)


Installing dependencies:

    On Debian 8 Linux:
	apt-get install libcurl4-openssl-dev
	apt-get install libjansson-dev

    On CentOS 6 Linux:
	# Based on PHP instructions for installing libcurl...
	wget http://curl.haxx.se/download/curl-7.28.1.tar.gz
	tar xvzf curl-7.28.1.tar.gz
	cd curl-7.28.1/
	./configure --with-libssh2 --enable-ares=/usr/local/ --enable-ipv6
	make
	make install

	# lib jansson
	wget http://www.digip.org/jansson/releases/jansson-2.5.tar.gz
	tar -xpzf jansson-2.5.tar.gz
	cd jansson-2.5
	./configure
	make
	make install

	echo /usr/local/lib >> /etc/ld.so.conf.d/local.conf
	ldconfig

    On CentOS 7 Linux:
	yum install libcurl-devel.x86_64
	yum install jansson-devel.x86_64
	yum install centos-release-scl
	yum install devtoolset-8
	scl enable devtoolset-8 bash
	# do the build from that bash

    On CentOS / AlmaLinux / Rocky Linux 8:
	dnf install gcc jansson.x86_64 jansson-devel.x86_64 libcurl-devel.x86_64

    On FreeBSD 10:
	pkg install curl jansson

    On macOS:
	brew install jansson
	
    On Amazon Linux 2023 (AWS Ec2):
	# A plain vanilla Amazon Linux AMI comes with with curl-minimal, and 'make' will 
	# fail with an error that curl/curl.h is not found. Installing the following packages
	# will allow dnsdbq to compile on a fresh Amazon Linux 2023 AMI:

	yum install make 
	yum install git 
	yum install gcc 
	yum install libcurl-devel 
	yum install jansson-devel


Building and installing:

    (Assumes you have "git")

    git clone https://github.com/dnsdb/dnsdbq.git
    cd dnsdbq
    make install clean

    On FreeBSD, you may need to remove -lresolv in the LIBS line of
    the Makefile.

    On macOS on Apple M1 processors, Homebrew now defaults to be
    installed in /opt/homebrew instead of /usr/local.  If that is the
    case on your system, in the Makefile, uncomment the line
    #JANSBASE=/opt/homebrew

    On macOS, if you want an almost static dnsdbq binary on macOS,
    that is, one with minimal non-System library dependencies, you can
    rebuild dnsdbq with a static jansson library.  That binary could
    then be deployed on any identical macOS version and architecture.

	1. Find the static jansson library, probably as installed by brew
	   /usr/local/lib/libjansson.a or /opt/homebrew/lib/libjansson.a
	2. Change the Makefile's line
		JANSLIBS = -L$(JANSBASE)/lib -ljansson
	    to instead specify the static library location, probably to:
		JANSLIBS = $(JANSBASE)/lib/libjansson.a
	3. Then run make


Getting Started:

    Add the API key to ~/.dnsdb-query.conf in the below given format,
    APIKEY="YOURAPIKEYHERE"

    If you're interested in purchasing a Farsight DNSDB subscription,
    please contact sales@farsightsecurity.com.  Farsight also has a
    grant program for selected researchers, investigative journalists,
    and cybersecurity workers at some public benefit non-profits.
    See https://www.farsightsecurity.com/grant-access/

    Here's an example query and output after dnsdbq is compiled: 

    $ ./dnsdbq -r farsightsecurity.com/A -l 1 
    ;; record times: 2013-09-25 15:37:03 .. 2015-04-01 06:17:25 (~1y ~187d)
    ;; count: 6350; bailiwick: farsightsecurity.com.
    farsightsecurity.com.  A  66.160.140.81

Background on ASINFO/CIDR lookups and annotations:

    Annotating IP addresses with ASN information can help an analyst
    focus their attention on unusual or unexpected ASNs (for example,
    perhaps a domestic US corporation's IP address inexplicably ended
    up being originated by a foreign consumer ISP).

    This code has been tested against three sources of ASN information,
    each of which are valid arguments to the -D parameter.

      1. asn.routeviews.org  (the default value for the -D parameter).

	 Given an IPv4 in reverse order, this returns a space
	 separated three-tuple:
	 "ASN" "CIDR prefix" "prefix length"

	 For badly formatted addresses, it returns:
	 "4294967295" "0" "0"

	 For unknown addresses, it returns no answers.

	 Examples:
		$ dig +short 34.168.254.125.asn.routeviews.org TXT
		"23724" "125.254.168.0" "21"
		$ dig +short a.b.c.d.asn.routeviews.org TXT
		"4294967295" "0" "0"
		$ dig +short 0.0.0.128.aspath.routeviews.org TXT
		$

      2. aspath.routeviews.org

	 The same as asn.routeviews.org, except it returns a
	 three-tuple: AS path, CIDR prefix, prefix length.

	 Examples:
		$ dig +short 0.0.0.4.aspath.routeviews.org TXT
		"3303 3356" "4.0.0.0" "9"

      3. origin.asn.cymru.com

	 Given an IPv4 in reverse order, this returns a pipe-separated
	 five-tuple:
	 ASN | CIDR prefix/prefix length | CC | Registry | Allocated date

	 Example:
		$ dig +short 0.0.0.4.origin.asn.cymru.com TXT
		"3356 | 4.0.0.0/9 | US | arin | 1992-12-01"

    Function asinfo_from_dns() in asinfo.c has specific code to parse
    those formats.  asn.routeviews.org and aspath.routeviews.org do
    not currently handle IPv6 addresses properly, so dnsdbq does not
    support IPv6 annotation now.

    There is a complication that arises when doing those sort of IP to
    ASN mappings, however: publicly available IP to ASN zones are
    based on currently observed IP to ASN mappings, while the IPs that
    are being mapped may have been seen in passive DNS months or even
    years earlier, when that IP may have been originated by a
    different ASN.

    Often the IP to ASN mappings are quite static, in which case
    historical IPs will map just fine using the current IP to ASN
    data. On the other hand, some IPs may have been hijacked and used
    without authorization, or transferred, or otherwise ended up going
    from one ASN to another.

    Therefore the IP to ASN mapping should be viewed as an
    experimental best effort feature, and interpreted with care.

    In addition to the issue of potential ASN misalignment, the size
    and origin of the reported origin IP and prefix length may also
    have changed over time. For example, a /19 may have been
    de-aggregated into a set of more specific /24's. Again, we report
    the state of the world as it is currently seen by the service used
    for the IP to ASN mapping.

    Other miscellaneous notes:

    * dnsdbq does not support mapping IPv6 addresses to ASNs at this
      time.

    * In the case of Multiple Origin ASNs, typically IP to ASN
      services will report one of the multiple ASNs; other origin
      ASNs may also exist but not be reported.

    * We do not map ASNs to their owner or the owner description
      string.  Please see WHOIS for information about the entity
      currently assigned a given ASN.

    We welcome feedback on this feature. Do you use it and find it
    useful?  Are there IP-to-ASN service providers we've inadvertently
    omitted?  Share your feedback by writing
    <support@farsightsecurity.com>.