DNS PTR surveying

["D. J. Bernstein" <djb () CR YP TO>]

This is a brief note on some DNS surveying tools. You can use them to
rapidly measure the size of the Internet, to support higher-level
surveys of various daemons, or to kill typical DNS caches.

The tools are random-ip, which prints a random set of IP addresses, and
dnsfilter, which does PTR lookups in parallel. They're part of the
djbdns package, available from http://cr.yp.to/djbdns.html. Typical use:

   random-ip 10000 | dnsfilter > RESULTS

dnsfilter does 10 PTR lookups in parallel. Use dnsfilter -c 100 to do
100 PTR lookups in parallel for higher speed; make sure that you don't
have a small fd resource limit. You can also speed things up by removing
the (misconfigured) 6.*, 8.*, 34.*, and 55.* networks from the list.

I tried 10000 addresses a few minutes ago. The output included 282
addresses with PTR records such as 172.165.0.88=aca50058.ipt.aol.com,
8983 addresses without PTR records, and 735 temporary failures such as
8.138.51.161:timed-out. A subsequent double-check of the temporary
failures found no new PTR records.

Evidently the Internet has roughly 120 million IP addresses with PTR
records. It's not difficult to build a complete list, like the $2500.00
CD that ISC sells to spammers, but a small random sample is enough for
legitimate surveys.

dnsfilter uses the DNS cache listed in /etc/resolv.conf. You can set the
$DNSCACHEIP environment variable to tell it to use another DNS cache.
There are a huge number of DNS caches on the Internet that you can use,
because ISC ships BIND with promiscuous defaults.

A big, fast survey will kill a BIND cache, because BIND dies when it
runs out of memory. BIND 9 won't die, but it will stop caching new data,
so performance goes down the toilet. Unless you're trying to take down
somebody's DNS service, you should use the dnscache program included in
the djbdns package; dnscache smoothly discards old data.

---Dan