mirror of
https://github.com/adulau/pdns-qof.git
synced 2024-11-21 17:47:10 +00:00
Compare commits
5 commits
6f06da5bfb
...
7863b019e8
| Author | SHA1 | Date | |
|---|---|---|---|
7863b019e8
|
|||
|
8f3b8cf443
|
|||
|
24bf267e05
|
|||
| 0e7b9f2f52 | |||
|
83a2c5eb23 |
3 changed files with 42 additions and 42 deletions
BIN
i-d/pdns-qof.pdf
BIN
i-d/pdns-qof.pdf
Binary file not shown.
|
|
@ -20,11 +20,11 @@ Expires: 29 October 2024
|
|||
Abstract
|
||||
|
||||
This document describes a common output format of Passive DNS Servers
|
||||
which clients can query. The output format description includes also
|
||||
in addition a common semantic for each Passive DNS system. By having
|
||||
multiple Passive DNS Systems adhere to the same output format for
|
||||
queries, users of multiple Passive DNS servers will be able to
|
||||
combine result sets easily.
|
||||
that clients can query. The output format description also includes
|
||||
a common semantic for each Passive DNS system. By having multiple
|
||||
Passive DNS Systems adhere to the same output format for queries,
|
||||
users of multiple Passive DNS servers will be able to combine result
|
||||
sets easily.
|
||||
|
||||
Status of This Memo
|
||||
|
||||
|
|
@ -118,20 +118,20 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
|||
|
||||
Passive DNS is a technique described by Florian Weimer in 2005 in
|
||||
Passive DNS replication, F Weimer - 17th Annual FIRST Conference on
|
||||
Computer Security [WEIMERPDNS]. Since then multiple Passive DNS
|
||||
implementations were created and evolved over time. Users of these
|
||||
Passive DNS servers may query a server (often via WHOIS [RFC3912] or
|
||||
HTTP REST [REST]), parse the results and process them in other
|
||||
applications.
|
||||
Computer Security [WEIMERPDNS]. Since then, multiple Passive DNS
|
||||
implementations were created and have evolved over time. Users of
|
||||
these Passive DNS servers may query a server (often via WHOIS
|
||||
[RFC3912] or HTTP REST [REST]), parse the results, and process them
|
||||
in other applications.
|
||||
|
||||
There are multiple implementations of Passive DNS software. Users of
|
||||
passive DNS query each implementation and aggregate the results for
|
||||
Passive DNS query each implementation and aggregate the results for
|
||||
their search. This document describes the output format of four
|
||||
Passive DNS Systems ([DNSDB], [DNSDBQ], [PDNSCERTAT], [PDNSCIRCL] and
|
||||
[PDNSCOF]) which are in use today and which already share a nearly
|
||||
[PDNSCOF]) that are in use today and that already share a nearly
|
||||
identical output format. As the format and the meaning of output
|
||||
fields from each Passive DNS need to be consistent, we propose in
|
||||
this document a solution to commonly name each field along with their
|
||||
fields from each Passive DNS need to be consistent, this document
|
||||
proposes a solution to commonly name each field along with its
|
||||
corresponding interpretation. The format follows a simple key-value
|
||||
structure in JSON [RFC4627] format. The benefit of having a
|
||||
consistent Passive DNS output format is that multiple client
|
||||
|
|
@ -141,8 +141,8 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
|||
standardization. The document does not describe the protocol (e.g.
|
||||
WHOIS [RFC3912], HTTP REST [REST]) nor the query format used to query
|
||||
the Passive DNS. Neither does this document describe "pre-recursor"
|
||||
Passive DNS Systems. Both of these are separate topics and deserve
|
||||
their own RFC document. The document describes the current best
|
||||
Passive DNS Systems. Each of these are separate topics and deserve
|
||||
their own RFC documents. This document describes the current best
|
||||
practices implemented in various Passive DNS server implementations.
|
||||
|
||||
1.1. Requirements Language
|
||||
|
|
@ -153,15 +153,15 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
|||
|
||||
2. Limitation
|
||||
|
||||
As a Passive DNS servers can include protection mechanisms for their
|
||||
As Passive DNS servers can include protection mechanisms for their
|
||||
operation, results might be different due to those protection
|
||||
measures. These mechanisms filter out DNS answers if they fail some
|
||||
criteria. The bailiwick algorithm [BAILIWICK] protects the Passive
|
||||
DNS Database from cache poisoning attacks [CACHEPOISONING]. Another
|
||||
limitation that clients querying the database need to be aware of is
|
||||
that each query simply gets a snapshot-answer of the time of
|
||||
querying. Clients MUST NOT rely on consistent answers. Nor must
|
||||
they assume that answers must be identical across multiple Passive
|
||||
that each query simply gets a snapshot-in-time answer at the time of
|
||||
querying. Clients MUST NOT rely on existing answers from different
|
||||
Passive DNS database. Nor should they assume that answers will be
|
||||
|
||||
|
||||
|
||||
|
|
@ -170,7 +170,7 @@ Dulaunoy, et al. Expires 29 October 2024 [Page 3]
|
|||
Internet-Draft Passive DNS - Common Output Format April 2024
|
||||
|
||||
|
||||
DNS Servers.
|
||||
identical across multiple Passive DNS Servers.
|
||||
|
||||
3. Common Output Format
|
||||
|
||||
|
|
@ -226,9 +226,9 @@ Dulaunoy, et al. Expires 29 October 2024 [Page 4]
|
|||
Internet-Draft Passive DNS - Common Output Format April 2024
|
||||
|
||||
|
||||
Note that value is defined in JSON [RFC4627] and has the exact same
|
||||
Note that value is defined in JSON [RFC4627] and has the same
|
||||
specification as there. The same goes for the definition of string.
|
||||
Note the changed definition of ws dows not include CR or LF as those
|
||||
Note the changed definition of ws does not include CR or LF as those
|
||||
are NOT allowed in NDJSON, and thus the definition here MUST be used
|
||||
for other ABNF defitions in JSON [RFC4627].
|
||||
|
||||
|
|
@ -433,7 +433,7 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
|||
|
||||
6. Privacy Considerations
|
||||
|
||||
Passive DNS Servers capture DNS answers from multiple collecting
|
||||
Passive DNS Servers capture DNS answers from multiple collection
|
||||
points ("sensors") which are located on the Internet-facing side of
|
||||
DNS recursors ("post-recursor passive DNS"). In this process, they
|
||||
intentionally omit the source IP, source port, destination IP and
|
||||
|
|
@ -451,15 +451,15 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
|||
|
||||
|
||||
Servers are able to find out much about the actual person querying
|
||||
the DNS records nor who actually sent the query. In this sense,
|
||||
passive DNS Servers are similar to keeping an archive of all previous
|
||||
phone books - if public DNS records can be compared to phone numbers
|
||||
- as they often are. Nevertheless, the authors strongly encourage
|
||||
Passive DNS implementors to take special care of privacy issues.
|
||||
bortzmeyer-dnsop-dns-privacy is an excellent starting point for this.
|
||||
Finally, the overall recommendations in RFC6973 [RFC6973] should be
|
||||
taken into consideration when designing any application which uses
|
||||
Passive DNS data.
|
||||
the DNS records. In this sense, passive DNS Servers are similar to
|
||||
keeping an archive of all previous phone books - if public DNS
|
||||
records can be compared to phone numbers - as they often are.
|
||||
Nevertheless, the authors strongly encourage Passive DNS implementors
|
||||
to take special care of privacy issues. bortzmeyer-dnsop-dns-privacy
|
||||
is an excellent starting point for this. Finally, the overall
|
||||
recommendations in RFC6973 [RFC6973] should be taken into
|
||||
consideration when designing any application which uses Passive DNS
|
||||
data.
|
||||
|
||||
In the scope of the General Data Protection Regulation (GDPR -
|
||||
Directive 95/46/EC), operators of Passive DNS Server needs to ensure
|
||||
|
|
|
|||
|
|
@ -144,21 +144,21 @@
|
|||
|
||||
|
||||
<abstract>
|
||||
<t>This document describes a common output format of Passive DNS Servers which clients can query. The output format description includes also in addition a common semantic for each Passive DNS system. By having multiple Passive DNS Systems adhere to the same output format for queries, users of multiple Passive DNS servers will be able to combine result sets easily.</t>
|
||||
<t>This document describes a common output format of Passive DNS Servers that clients can query. The output format description also includes a common semantic for each Passive DNS system. By having multiple Passive DNS Systems adhere to the same output format for queries, users of multiple Passive DNS servers will be able to combine result sets easily.</t>
|
||||
</abstract>
|
||||
</front>
|
||||
|
||||
<middle>
|
||||
<section title="Introduction">
|
||||
<t>Passive DNS is a technique described by Florian Weimer in 2005 in <xref target="WEIMERPDNS">Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security</xref>. Since then multiple Passive DNS implementations were created and evolved over time. Users of these Passive DNS servers may query a server (often via <xref target="RFC3912">WHOIS</xref> or HTTP <xref target="REST">REST</xref>), parse the results and process them in other applications.</t>
|
||||
<t>Passive DNS is a technique described by Florian Weimer in 2005 in <xref target="WEIMERPDNS">Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security</xref>. Since then, multiple Passive DNS implementations were created and have evolved over time. Users of these Passive DNS servers may query a server (often via <xref target="RFC3912">WHOIS</xref> or HTTP <xref target="REST">REST</xref>), parse the results, and process them in other applications.</t>
|
||||
<t>
|
||||
There are multiple implementations of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of four Passive DNS Systems (<xref target="DNSDB"/>, <xref target="DNSDBQ"/>, <xref target="PDNSCERTAT"/>, <xref target="PDNSCIRCL"/> and <xref target="PDNSCOF"/>) which are in use today and which already share a nearly identical output format.
|
||||
There are multiple implementations of Passive DNS software. Users of Passive DNS query each implementation and aggregate the results for their search. This document describes the output format of four Passive DNS Systems (<xref target="DNSDB"/>, <xref target="DNSDBQ"/>, <xref target="PDNSCERTAT"/>, <xref target="PDNSCIRCL"/> and <xref target="PDNSCOF"/>) that are in use today and that already share a nearly identical output format.
|
||||
|
||||
As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format follows a simple key-value structure in <xref target="RFC4627">JSON</xref> format.
|
||||
As the format and the meaning of output fields from each Passive DNS need to be consistent, this document proposes a solution to commonly name each field along with its corresponding interpretation. The format follows a simple key-value structure in <xref target="RFC4627">JSON</xref> format.
|
||||
The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each
|
||||
individual server. <xref target="PDNSCLIENT">passivedns-client</xref> currently implements multiple parsers due to a lack of standardization.
|
||||
|
||||
The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</xref>, HTTP <xref target="REST">REST</xref>) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. Both of these are separate topics and deserve their own RFC document. The document describes the current best practices implemented in various Passive DNS server implementations.
|
||||
The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</xref>, HTTP <xref target="REST">REST</xref>) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. Each of these are separate topics and deserve their own RFC documents. This document describes the current best practices implemented in various Passive DNS server implementations.
|
||||
</t>
|
||||
|
||||
<section title="Requirements Language">
|
||||
|
|
@ -170,9 +170,9 @@ The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</
|
|||
</section>
|
||||
|
||||
<section title="Limitation">
|
||||
<t> As a Passive DNS servers can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The <xref target="BAILIWICK">bailiwick algorithm</xref> protects the Passive DNS Database from <xref target="CACHEPOISONING">cache poisoning attacks</xref>.
|
||||
<t> As Passive DNS servers can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The <xref target="BAILIWICK">bailiwick algorithm</xref> protects the Passive DNS Database from <xref target="CACHEPOISONING">cache poisoning attacks</xref>.
|
||||
|
||||
Another limitation that clients querying the database need to be aware of is that each query simply gets a snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers. Nor must they assume that answers must be identical across multiple Passive DNS Servers.
|
||||
Another limitation that clients querying the database need to be aware of is that each query simply gets a snapshot-in-time answer at the time of querying. Clients MUST NOT rely on existing answers from different Passive DNS database. Nor should they assume that answers will be identical across multiple Passive DNS Servers.
|
||||
</t>
|
||||
</section>
|
||||
<section title="Common Output Format">
|
||||
|
|
@ -206,7 +206,7 @@ ws = *(
|
|||
)
|
||||
|
||||
]]></artwork></figure>
|
||||
<t>Note that value is defined in <xref target="RFC4627">JSON</xref> and has the exact same specification as there. The same goes for the definition of string. Note the changed definition of ws dows not include CR or LF as those are NOT allowed in NDJSON, and thus the definition here MUST be used for other ABNF defitions in <xref target="RFC4627">JSON</xref>.</t>
|
||||
<t>Note that value is defined in <xref target="RFC4627">JSON</xref> and has the same specification as there. The same goes for the definition of string. Note the changed definition of ws does not include CR or LF as those are NOT allowed in NDJSON, and thus the definition here MUST be used for other ABNF defitions in <xref target="RFC4627">JSON</xref>.</t>
|
||||
</section>
|
||||
<section title="Mandatory Fields">
|
||||
<t>Implementation MUST support all the mandatory fields.</t>
|
||||
|
|
@ -297,7 +297,7 @@ ws = *(
|
|||
</section>
|
||||
|
||||
<section anchor="Privacy" title="Privacy Considerations">
|
||||
<t>Passive DNS Servers capture DNS answers from multiple collecting points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records nor who actually sent the query. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are.
|
||||
<t>Passive DNS Servers capture DNS answers from multiple collection points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are.
|
||||
|
||||
Nevertheless, the authors strongly encourage Passive DNS implementors to take special care of privacy issues. bortzmeyer-dnsop-dns-privacy is an excellent starting point for this.
|
||||
Finally, the overall recommendations in <xref target="RFC6973">RFC6973</xref> should be taken into consideration when designing any application which uses Passive DNS data.</t>
|
||||
|
|
|
|||
Loading…
Reference in a new issue