passive-dns-query-tool - pdnstool queries several passive dns databases

Project Information

Project feeds
Code license
GNU Lesser GPL
Labels
dns, security, Research

Members

1 committer

Featured

Downloads

pdnstool queries several passive DNS databases; DNSParse, ISC, BFK.de, and CERTEE; to return previously seen resource records (DNS answers). This is useful to security experts who wish to trace the relationships of domains and IP addresses over time.

Installation

The Passive DNS query tool can now be installed via RubyGems using the following command:

gem install passive-dns

It will install the required dependencies: json and sqlite3.

Configuration Files

DNSParse

The pdnstool looks for a configuration file for DNSParse to be located at $HOME/.dnsparse by default. It requires three items of information, one per line: the base URL, a username, and a password. E.g.,

https://dnsparse.wherever/query.php?submit=Search&format=json&querytext=
myusername
mypassword

ISC

The ISC configuration file is located at $HOME/.isc-dnsdb-query.conf by default. The format for its configuration file only requires one line in the following format:

APIKEY="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"

To request an API Key, please email dnsdbAT isc.org.

CERTEE

CERT-EE does not require any configuration.

BFK.de

BFK.de does not require any configuration. However, please read and abide by their usage policy at BFK.de. Currently, it just says not to perform automated queries.

Usage

Usage: ./pdnstool.rb [-a|-b|-d|-i|-e] [-c|-x|-y|-j|-t] [-s <sep>] [-f <file>] [-r#|-w#|-l] <ip|domain|cidr>
  -a uses all of the available passive dns databases
  -b only use BFK
  -d only use DNSParse (default)
  -i only use ISC
  -e only use CERT-EE
  -g outputs a link-nodal GDF visualization definition
  -v outputs a link-nodal graphviz visualization definition
  -m output a link-nodal graphml visualization definition
  -c outputs CSV
  -x outputs XML
  -y outputs YAML
  -j outputs JSON
  -t outputs ASCII text (default)
  -s <sep> specifies a field separator for text output, default is tab
  -f[file] specifies a sqlite3 database used to read the current state - useful for large result sets and generating graphs of previous runs.
  -r# specifies the levels of recursion to pull. **WARNING** This is quite taxing on the pDNS servers, so use judiciously (never more than 3 or so) or find yourself blocked!
  -w# specifies the amount of time to wait, in seconds, between queries (Default: 0)
  -l outputs debugging information