Kaio Rafael wrote: > Hi, > > I am looking for a DNS dataset for academic research. I have been > studying .BR DNS dataset (DITL 2008 on DNS-OARC servers), however, I > would like to investigate more recent traffic.
do you know about the Security Information Exchange? http://sie.isc.org/ has details. > > I am a PhD candidate at Federal University of Amazonas (Brazilian > state), and my research concerns how DNS traffic can be used to > identify Botnets. here is one message, out of a flow of tens of thousands per second, from SIE Channel 202, displayed in ASCII (which is not useful other than for demos like this -- you'll want to write code in Python, Perl, or C to actually process it.) i've anonymized the questioner IP, answerer IP, and sensor ID (xxx, yyy, and zzz below), leaving only information that's safely shared in public: root@hb:/var/tmp # nmsgtool -V isc -T dnsqr -C ch202 -c 1 [237] [2013-04-18 22:09:28.307429000] [1:9 ISC dnsqr] [zzz] [] [] type: UDP_QUERY_RESPONSE query_ip: xxx response_ip: yyy proto: UDP (17) query_port: 37910 response_port: 53 id: 60999 qname: 73.143.122.74.in-addr.arpa. qclass: IN (1) qtype: PTR (12) rcode: SERVFAIL (2) delay: 0.036673 udp_checksum: CORRECT query: [44 octets] ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 60999 ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;73.143.122.74.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: --- response: [44 octets] ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 60999 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;73.143.122.74.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: --- paul
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
