Show HN: 4B+ DNS Records Dataset

genmud · 2024-10-16T00:34:12.000000Z

Neat! How is this different than domaintools/farsight [1]?

Passive DNS [2] has been in my toolbox for 15+ years, and is invaluable for security research / threat intelligence. Knowing historical resolutions to something are so helpful in investigations.

For anyone interested, they should check out the talk by one of the DomainTools people [3] on how it can be utilized for investigation.

Are you passively collecting this data, or actively querying for these records?

[1] - https://www.domaintools.com/products/threat-intelligence-fee...

[2] - https://www.circl.lu/services/passive-dns/

[3] - https://www.youtube.com/watch?v=oXmapqLkZd0

Eikon · 2024-10-16T04:29:22.000000Z

From what I understand [1] is just tlds, not subdomains?

genmud · 2024-10-16T05:17:12.000000Z

That would be incorrect, they get subdomains for passive dns feeds.

Eikon · 2024-10-16T09:08:44.000000Z

Ok, it'd be interesting to know how big is their datasets compared to mine and how much they overlap.

lyu07282 · 2024-10-16T17:45:55.000000Z

is this making use of letsencrypt as well? afaik all letsencrypt signed certificates including all subdomains are immediately public, which could be useful for security research as well

Eikon · 2024-10-16T19:36:42.000000Z

It's not about letsencrypt but certificate transparency which works the same for all public CAs.

I wrote a documentation piece here:

https://www.merklemap.com/documentation/how-it-works

whalesalad · 2024-10-16T19:43:25.000000Z

At first glance it looks like this data is generated via the public certificate transparency log, so I would imagine the answer is yes.

g-mork · 2024-10-16T09:24:16.000000Z

Any possibility of adding (first seen, last seen) time stamps? There is basically no good way to reconstruct the state of e.g. SPF at a point in time from existing DNS data sets

Eikon · 2024-10-16T09:30:30.000000Z

I could in future releases, yes.

g48ywsJk6w48 · 2024-10-16T19:01:46.000000Z

Thank you for data set!!! It is not always lowercase, so it have some duplicates.

Also you can avoid unnecessary data with analyze CNAME records. -- domain.tld CNAME www.domain.tld -- So you can use only domain.tld or www.domain.tld records.

m3047 · 2024-10-16T19:48:23.000000Z

I've worked in the industry at IID and Farsight. I am skeptical of many claims made by IoC vendors.

You need timestamps, or first / last seen.

Records don't exist in a vacuum. They come in RRsets. They are served (sometimes inconsistently) by different nameservers. Some use cases care about this.

Records which don't resolve are also useful, especially for use cases which amount to front-running. On any given day if the wind was blowing the right direction .belkin could be one of the top 10 non-resolving TLDs. If your data is any good, check under .cisco for stuff which resolves to 127.0.53.53. ;-)

Information about provenance (where the data comes from) is required for some use cases.

We shipped Farsight's DNSDB on one or more 1TB drives, depending on what the customer was purchasing.

whalesalad · 2024-10-16T19:38:51.000000Z

211GB seems very small. How is this generated?

Eikon · 2024-10-16T19:53:11.000000Z

What makes you think it's small?

mobilio · 2024-10-16T19:41:45.000000Z

note - that records can be geolocation routing.

This mean that from country A i can get records as X, but in country B records can be Y.

Would be great if you can make new column in CSV that can show about variations - Y/N.

35mm · 2024-10-16T05:26:25.000000Z

How often is it updated?

Does it include expired domains?

Eikon · 2024-10-16T09:45:20.000000Z

> How often is it updated?

I plan to do 2 releases a month for now, goal is one a day.

> Does it include expired domains?

Yes.

mh- · 2024-10-16T18:18:08.000000Z

This is fantastically valuable, especially if you can add the first/last-seen as requested by another commenter. Thanks for doing this.

Eikon · 2024-10-16T18:23:42.000000Z

Thanks.

That's quite a fun project!

nhggfu · 2024-10-16T13:20:41.000000Z

great work OP.

Eikon · 2024-10-16T13:31:19.000000Z

Thank you!

T3RMINATED · 2024-10-16T13:08:14.000000Z

Where do you get the data from? Does it include subdomains?

Eikon · 2024-10-16T19:35:36.000000Z

Hi,

https://www.merklemap.com/documentation/how-it-works

Basically the same process here but using that data to perform DNS queries.