[dns-operations] [Off-topic] DNS dataset for academic research

Paul Vixie paul at redbarn.org
Thu Apr 18 22:14:24 UTC 2013



Kaio Rafael wrote:
> Hi,
>
> I am looking for a DNS dataset for academic research. I have been
> studying .BR DNS dataset (DITL 2008 on DNS-OARC servers), however, I
> would like to investigate more recent traffic.

do you know about the Security Information Exchange? http://sie.isc.org/
has details.

>
> I am a PhD candidate at Federal University of Amazonas (Brazilian
> state), and my research concerns how DNS traffic can be used to
> identify Botnets.

here is one message, out of a flow of tens of thousands per second, from
SIE Channel 202, displayed in ASCII (which is not useful other than for
demos like this -- you'll want to write code in Python, Perl, or C to
actually process it.) i've anonymized the questioner IP, answerer IP,
and sensor ID (xxx, yyy, and zzz below), leaving only information that's
safely shared in public:


root at hb:/var/tmp # nmsgtool -V isc -T dnsqr -C ch202 -c 1
[237] [2013-04-18 22:09:28.307429000] [1:9 ISC dnsqr] [zzz] [] []
type: UDP_QUERY_RESPONSE
query_ip: xxx
response_ip: yyy
proto: UDP (17)
query_port: 37910
response_port: 53
id: 60999
qname: 73.143.122.74.in-addr.arpa.
qclass: IN (1)
qtype: PTR (12)
rcode: SERVFAIL (2)
delay: 0.036673
udp_checksum: CORRECT
query: [44 octets]
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 60999
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;73.143.122.74.in-addr.arpa. IN PTR

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
---
response: [44 octets]
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 60999
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;73.143.122.74.in-addr.arpa. IN PTR

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
---

paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130418/e423d572/attachment.html>


More information about the dns-operations mailing list