rDNS Database

There is lots of intersting information stored in DNS servers. You can gleam quite a bit of information about an organisation, given the hostnames they've assigned on their network. I thought it might be interesting to take a netblock (say, 15.0.0.0/8) and get the reverse DNS of every IP within that block.

Most reverse DNS servers, much like forward DNS, are configured not to enable zone transfers. This means that gathering the reverse DNS values for a large number of IPs cannot be done without some wrangling.

I've written a script, based on an example perl script in the Net::DNS documentation, to do mass rDNS lookups on a given netblock. It uses a mysql database to store the results, as well as update on the progress of the scanning of various ranges.

The Data

PLEASE NOTE: This data may not include every IP address allocated to the organisation stated.

The Script

The main script that does the lookups is based off this Bulk Reverse DNS script from the Geek Pit.

I've modified it to talk to a mySQL server instead of simply printing the results. It also automatically assigns itself a task depending on what's in the queue of jobs in the database (referenced as the table `ranges`).

Each range can have any of 4 states:

When the range is first added to the database, it is given the "not started" state. When the perl script looks at the `ranges` table, it will pick a range which is in the "not started" or "stopped" state. Just before it starts work on the range, it will set it's state to be "in progress"

If for some reason the perl script netdns.pl is sent a kill signal, it will attempt to set the range it was working on to "stopped".

The full perl script I use can be downloaded: naxxdns.pl. For whatever it's worth. It's pretty hackish and could be a lot better.

I've written a very simple PHP frontend to the database which uses AJAX to display the number of IPs scanned and an estimated time to completion.

rDNS monitoring PHP frontend

Here's a snippet that show you how I work out the estimated time remaining:

$total_ips = pow(2,(32-$row['network']));
$progress = number_format($checked);
$percent = round((($checked+1)/$total_ips),3);
$start_time = $row['start_time'];


if ($row['status'] == 1 ) {
        $insession = $row['session']; // number of IPs checked 
since the current session started ...
        if ($start_time !=0 ) {
                $elapsed = time() - $start_time;
                $average = $elapsed/$insession;
                $completion = intval(($total_ips - $checked)*$average);
        }
}

Performance

As mentioned above, the script isn't at all tuned. However, it achieves at least 100 or so lookups per second from each process. One process can scan a /18 network in aproximately 25 minutes. A /12 takes about 6 hours. The execution time is, of course, linear.

It should be noted that before modifying the script not to output every result via stdout, the speed was much lower. Writing to a terminal takes a long time!

What I have had problems with my nameserver being DoSed from so many requests - making the script sleep for 25 miliseconds seems to have solved that issue. Since I want to go for factual accuracy as much as possible, I want to continue using my own nameserver rather than using someone elses. This way I can be assured that my DNS cache is not being poisoned.

However in the future, I could use two or more nameservers to distribute the load. Whether this will actually speed up the process or not is unknown at the moment.

Analysis of Dataset

I've been thinking of what kinds of analysis to run on the data. If you come up with an interesting use for the data, send me an email at naxxtor (AT] hackervoice dot co dot uk. If you would like the full database files (in mysql format) drop me a line and i'll see what we can do.

Home