Skip to content

endless stream of rdns

License

Notifications You must be signed in to change notification settings

acidvegas/ptrstream

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PTRStream

High-performance distributed PTR record scanner with real-time streaming output

PTRStream is a fast and efficient PTR record scanner designed for distributed scanning operations. It uses a Linear Congruential Generator (LCG) for deterministic IP generation, allowing for easy distribution of work across multiple machines while maintaining pseudo-random ordering.

Features

  • Memory-efficient IP range processing using GoLCG
  • Distributed scanning support via sharding
  • Real-time NDJSON output for streaming to data pipelines
  • Support for both PTR and CNAME records
  • Automatic DNS server rotation from public resolvers
  • Progress tracking with detailed statistics
  • Colorized terminal output
  • CAIDA-style error formatting (with -debug flag)

Installation

go install github.com/acidvegas/ptrstream@latest

Options

Flag Type Default Description
-c int 100 Concurrency level
-debug bool false Show unsuccessful lookups
-dns string File containing DNS servers
-j bool false Output NDJSON to stdout (no TUI)
-l bool false Loop continuously after completion
-o string Path to NDJSON output file
-r int 2 Number of retries for failed lookups
-s int 0 Seed for IP generation (0 for random)
-shard string Shard specification (index/total format)
-t int 2 Timeout for DNS queries

Usage

# Basic usage
ptrstream -o output.json

# Use specific DNS servers
ptrstream -dns resolvers.txt -o output.json

# Increase concurrency
ptrstream -c 200 -o output.json

# Distributed scanning (4 machines)
# Machine 1:
ptrstream -shard 1/4 -s 12345 -o shard1.json
# Machine 2:
ptrstream -shard 2/4 -s 12345 -o shard2.json
# Machine 3:
ptrstream -shard 3/4 -s 12345 -o shard3.json
# Machine 4:
ptrstream -shard 4/4 -s 12345 -o shard4.json

Distributed Scanning

PTRStream supports distributed scanning through its sharding system. By using the same seed value across multiple instances with different shard specifications, you can distribute the workload across multiple machines while ensuring:

  • No IP address is scanned twice
  • Even distribution of work
  • Deterministic results
  • Pseudo-random scanning patterns

For example, to split the work across 4 machines:

# Each machine uses the same seed but different shard
ptrstream -shard 1/4 -s 12345  # Machine 1
ptrstream -shard 2/4 -s 12345  # Machine 2
ptrstream -shard 3/4 -s 12345  # Machine 3
ptrstream -shard 4/4 -s 12345  # Machine 4

Real-time Data Pipeline Integration

PTRStream outputs NDJSON (Newline Delimited JSON) format, making it perfect for real-time data pipeline integration. Each line contains a complete JSON record with:

  • Timestamp
  • IP Address
  • DNS Server used
  • Record Type (PTR/CNAME)
  • PTR Record
  • CNAME Target (if applicable)
  • TTL Value

Example using named pipe to Elasticsearch:

# Create a named pipe
mkfifo /tmp/ptrstream

# Start Elasticsearch ingestion in background
cat /tmp/ptrstream | elasticsearch-bulk-import &

# Run PTRStream with pipe output
ptrstream -o /tmp/ptrstream

CNAME Support

PTRStream properly handles CNAME records in PTR responses, providing:

  • Detection of CNAME chains
  • Original hostname and target tracking
  • TTL values for both record types
  • Distinct coloring in terminal output
  • CNAME statistics tracking

Example NDJSON output:

{"timestamp":"2024-01-05T12:34:56Z","ip_addr":"1.2.3.4","dns_server":"8.8.8.8","ptr_record":"example.com","record_type":"PTR","ttl":3600}
{"timestamp":"2024-01-05T12:34:57Z","ip_addr":"5.6.7.8","dns_server":"1.1.1.1","ptr_record":"original.com","record_type":"CNAME","target":"target.com","ttl":600}

Debug Mode

When running with -debug, failed lookups are displayed and logged using CAIDA-style error formatting. Each error is represented as a special .in-addr.arpa address:

2024-01-05 12:34:56 │ 1.2.3.4     │ 8.8.8.8        │  ERR  │        │ FAIL.TIMEOUT.in-addr.arpa
2024-01-05 12:34:57 │ 5.6.7.8     │ 1.1.1.1        │  ERR  │        │ FAIL.SERVER-FAILURE.in-addr.arpa
2024-01-05 12:34:58 │ 9.10.11.12  │ 8.8.4.4        │  ERR  │        │ FAIL.NON-AUTHORITATIVE.in-addr.arpa

Error types include:

  • FAIL.TIMEOUT.in-addr.arpa - DNS query timed out
  • FAIL.SERVER-FAILURE.in-addr.arpa - DNS server returned an error
  • FAIL.NON-AUTHORITATIVE.in-addr.arpa - No authoritative answer
  • FAIL.REFUSED.in-addr.arpa - Query was refused
  • FAIL.NO-PTR-RECORD.in-addr.arpa - No PTR record exists
  • And more...

These errors are also included in the NDJSON output when using -debug with either -o or -j:

{"seen":"2024-01-05T12:34:56Z","ip":"1.2.3.4","nameserver":"8.8.8.8","record":"FAIL.TIMEOUT.in-addr.arpa","record_type":"ERR","ttl":0}

Mirrors: acid.vegasSuperNETsGitHubGitLabCodeberg