]> CIRCL

41, avenue de la gare Luxembourg L-1611 Luxembourg (+352) 247 88444 alexandre.dulaunoy@circl.lu http://www.circl.lu/

CERT.at

Karlsplatz 1/2/9 Vienna A-1010 Austria +43 1 5056416 78 kaplan@cert.at http://www.cert.at/

Farsight Security, Inc.

11400 La Honda Road Woodside California 94062 U.S.A. paul@redbarn.org https://www.farsightsecurity.com/

Farsight Security, Inc.

11400 La Honda Road Woodside California 94062 U.S.A. +1 650 542-7836 henry@stern.ca https://www.farsightsecurity.com/

General Internet Engineering Task Force dns This document describes a common output format of Passive DNS Servers which clients can query. The output format description includes also in addition a common semantic for each Passive DNS system. By having multiple Passive DNS Systems adhere to the same output format for queries, users of multiple Passive DNS servers will be able to combine result sets easily.

Passive DNS is a technique described by Florian Weimer in 2005 in Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security. Since then multiple Passive DNS implementations were created and evolved over time. Users of these Passive DNS servers may query a server (often via WHOIS or HTTP REST), parse the results and process them in other applications. There are multiple implementations of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of four Passive DNS Systems (, , and ) which are in use today and which already share a nearly identical output format. As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format follows a simple key-value structure in JSON format. The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each individual server. passivedns-client currently implements multiple parsers due to a lack of standardization. The document does not describe the protocol (e.g. WHOIS, HTTP REST) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. Both of these are separate topics and deserve their own RFC document.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

As a Passive DNS servers can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The bailiwick algorithm protects the Passive DNS Database from cache poisoning attacks. Another limitation that clients querying the database need to be aware of is that each query simply gets a snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers. Nor must they assume that answers must be identical across multiple Passive DNS Servers.

The formatting of the answer follows the JSON format. The order of the fields is not significant for the same resource type. The intent of this output format is to be easily parsable by scripts. Each JSON object is expressed on a single line to be processed by the client line-by-line. Every implementation MUST support the JSON output format. Examples of JSON output are in the appendix.

Formal grammar as defined in ABNF

Note that value is defined in JSON and has the exact same specification as there. The same goes for the definition of string.

Implementation MUST support all the mandatory fields. Uniqueness property: the tuple (rrname,rrtype,rdata) will always be unique within one answer per server. While rrname and rrtype are always individual JSON primitive types (strings, numbers, booleans or null), rdata MAY be an array as defined in JSON. Implementors of this draft MUST be able to deal with rdata being returned as JSON array or alternatively as a JSON string.

This field returns the name of the queried resource.

This field returns the resource record type as seen by the passive DNS. The key is rrtype and the value is in the interpreted record type. If the value cannot be interpreted the decimal value is returned following the principle of transparency as described in RFC 3597. The resource record type can be any values as described by IANA in the DNS parameters document in the section 'DNS Label types' (http://www.iana.org/assignments/dns-parameters). Currently known and supported textual descriptions of rrtypes are: A, AAAA, CNAME, PTR, SOA, TXT, DNAME, NS, SRV, RP, NAPTR, HINFO, A6. A client MUST be able to understand these textual rrtype values represented as a JSON string. In addition, a client MUST be able to handle a decimal value (as mentioned above) as answer represented as a JSON number.

This field returns the data of the queried resource. In general, this is to be interpreted as string. Depending on the rrtype, this can be an IPv4 or IPv6 address, a domain name (as in the case of CNAMEs), an SPF record, etc. A client MUST be able to interpret any value which is legal as the right hand side in a DNS zone file RFC 1035 and RFC 1034. If the rdata came from an unknown DNS resource records, the server must follow the transparency principle as described in RFC 3597.

This field returns the first time that the record / unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS. The date is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.

This field returns the last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS. The date is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.

Implementations SHOULD support one or more fields.

Specifies how many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers (i.e. same data in the answer set - compare with the uniqueness property in "Mandatory Fields"). The number of requests is expressed as a decimal value.

The bailiwick is the best estimate of the apex of the zone where this data is authoritative.

Implementations MAY support the following fields:

This field returns the sensor information where the record was seen. The sensor_id is an opaque byte string as defined by RFC 5001 in section 2.3.

This field returns the first time that the unique tuple (rrname, rrtype, rdata) record has been seen via zone file import. The date is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.

This field returns the last time that the unique tuple (rrname, rrtype, rdata) record has been seen via zone file import. The date is expressed in seconds (decimal) since 1st of January 1970 (Unix timestamp). The time zone MUST be UTC.

In accordance with , designers of new passive DNS applications that would need additional fields can request and register new field name at https://github.com/adulau/pdns-qof/wiki/Additional-Fields.

Thanks to the Passive DNS developers who contributed to the document.

This memo includes no request to IANA.

Passive DNS Servers capture DNS answers from multiple collecting points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records nor who actually sent the query. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are. Nevertheless, the authors strongly encourage Passive DNS implementors to take special care of privacy issues. [draft-bortzmeyer-dnsop-dns-privacy] is an excellent starting point for this. Finally, the overall recommendations in RFC6973 should be taken into consideration when designing any application which uses Passive DNS data.

In some cases, Passive DNS output might contain confidential information and its access might be restricted. When a user is querying multiple Passive DNS and aggregating the data, the sensitivity of the data must be considered.

&RFC2119; &RFC1035; &RFC1034; &RFC3912; &RFC4627; &RFC5001; &RFC3597; &RFC6648; &RFC2234; &RFC6973; &RFC3552; &I-D.narten-iana-considerations-rfc2434bis;

If you query a passive DNS for the rrname www.ietf.org, the passive dns common output format can be:

If you query a passive DNS for the rrname ietf.org, the passive dns common output format can be: