]> CIRCL

41, avenue de la gare Luxembourg L-1611 LU (+352) 247 88444 alexandre.dulaunoy@circl.lu http://www.circl.lu/

CERT.at

Karlsplatz 1/2/9 Wien A-1010 AT +43 1 5056416 78 kaplan@cert.at http://www.cert.at/

General Internet Engineering Task Force dns This document describes the output format used between Passive DNS query interface. The output format description includes also a common meaning per Passive DNS system.

Passive DNS is a technique described by Florian Weimer in 2005 in Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security. Since then multiple Passive DNS implementations evolved over time. Users of these Passive DNS servers query a server (often via Whois [Ref: WHOIS]), parse the results and process them in other applications. There are multiple implementation of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of three Passive DNS Systems which are in use today and which already share a nearly identical output format. As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format format is following a simple key-value structure. The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each individual server. [http://code.google.com/p/passive-dns-query-tool/] currently implements multiple parsers due to a lack of standardization. The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) used to query the Passive DNS.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

As a Passive DNS can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The bailiwick algorithm (c.f. http://www.isc.org/files/passive_dns_hardening_handout.pdf) protects the Passive DNS Database from cache poisoning attacks [ref: Dan Kaminsky]. Another limitiation that clients querying the database need to be aware of is that each query simply gets an snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers.

A field is composed a key followed by a value separated by the single ':' character and a space before the value. The format is based on the initial work done by Florian Weimer and the RIPE whois format (ref:http://www.enyo.de/fw/software/dnslogger/whois.html). The ordered of the fields is not significant for the same resource type, name tuple.

A sample output using the common format:

MUST Human Readable SHOULD JSON OPTIONAL Bind

Implementation MUST support all the mandatory fields. TODO pinpoint on the key for the 3tuple (rrtype,rrname,rdata)

This field returns the first time that the record has been seen by the passive DNS. The date is expressed in ISO 8601 and UTC.

This field returns the last time that the record has been seen by the passive DNS. The date is expressed in ISO 8601 and UTC.

This field returns the resource record type as seen by the passive DNS. The key is rr-type and the value is in the interpreted record type. If the value cannot be interpreted the decimal value is returned. The resource record type can be any values as described by IANA in the DNS parameters document in the section 'DNS Label types' (http://www.iana.org/assignments/dns-parameters).

This field returns the name of the queried resource.

This field returns the data of the queried resource.

Implementation SHOULD support one or more field.

This field returns the sensor information where the record was seen. The sensor_id is expressed in a decimal value.

Specifies how many authoritative answers were received with the set of answers (i.e. same data) over all sensors. The number of requests is expressed as a decimal value.

An x- prefixed key means that is an extension and a non-standard field defined by the implementation of the passive DNS.

Thanks to the Passive DNS developers who contributed to the document.

This memo includes no request to IANA.

In some cases, Passive DNS output might contain confidential information and its access might be restricted. When an user is querying multiple Passive DNS and aggregating the data, the sensitivity of the data must be considered. Authentication of the output can be implemented on the server via an extended field. All drafts are required to have a security considerations section. See RFC 3552 for a guide.

&RFC2119; &RFC2629; &RFC3552; &I-D.narten-iana-considerations-rfc2434bis; Mad Dominators, Inc.

This becomes an Appendix.