Raw Hex Rdata Queries: An Obscure (But Potentially Quite Useful) Bit Of DNSDB Functionality
By Joe St. Sauver
Farsight Security customers who use the web interface to DNSDB may have noticed a button marked "Raw Hex" when doing Rdata queries. See the highlighted red boxes in this screen shot:
You may even have wondered why that button exists, or how you might use it. Some months ago, a number of Farsight staff discussed this very question, with the original developer of that functionality commenting:
"hex is the ultimate search mode because it allows lookups for arbitrary octet strings (or prefixes of octet strings). that is, it allows you to bypass the DNS "presentation layer" and directly query the underlying data store. this works for existing RRtypes as well as unknown RRtypes, and in fact this is the only way to search the rdata of unknown RRtypes."
One of the best ways to appreciate this capability is by looking at an example. For instance, perhaps you were interested in investigating use of DNSCurve.
2. A DNSCurve Example for Raw Hex Mode
"DNSCurve is a proposed new secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. […] Public keys for remote authoritative servers are placed in NS records, so recursive resolvers know whether the server supports DNSCurve. Keys begin with the magic string uz5 and are followed by a 51-byte Base32 encoding of the server's 255-bit public key"
We actually need to build a hex string containing the length of the field (3 bytes for the magic string + the 51 byte encoded public key, for a total of 54 bytes), followed by the magic string ("uz5"), all written in hex. We'll do that conversion via Python:
$ python -c "print (hex(54), hex(ord('u')), hex(ord('z')), hex(ord('5')))" ('0x36', '0x75', '0x7a', '0x35')
Results from making that query in the web interface look like:
Note that DNSDB returned 10,000 results, the maximum results returnable via the web interface to DNSDB.
3. Doing Raw Hex Queries Via The DNSDB API
While we showed making raw hex queries via the web interface, it is also possible to do raw hex queries via the API, which is helpful when you want or need more than the 10,000 results available from the web interface.
The normal DNSDB CLI clients (such as dnsdb_query.py) don't currently offer an option for raw hex mode, so we'll just use curl for demonstration purposes instead (scroll to the right in the box below to see all of this rather long command):
$ curl -k "https://api.dnsdb.info/lookup/rdata/raw/36757a35?limit=1000000" --header "X-API-Key: [API key redacted here]" | grep " IN NS " | grep -v ".in-addr.arpa. " | grep -v ".ip6.arpa. " | sort -u > uz5.txt $ wc -l uz5.txt 3310 uz5.txt
$ more uz5.txt [...] barneys.biz. IN NS uz50zk0fdkznv9nwbwltbfxdq48un3zf33xqdxbc9h9pgckvgh1skn.dns.unicycle.cz. [...]
In this case, by combining API access along with filtering of records that weren't of primary interest to us, we were able to efficiently get a smaller number of DNSCurve-related records that best met our research needs.
So now you know the answer to what may have been a nagging riddle, "Why does DNSDB have 'raw hex' input mode?"
You've also seen how you can make raw hex mode queries both via the DNSDB web interface and via the DNSDB API, should you need to do so.
We hope that you find this an interesting and unique bit of DNSDB functionality! For information about obtaining access to DNSDB if you're not already a customer, please reach out to us.
Joe St Sauver, Ph.D., is a Scientist with Farsight Security, Inc.