[ Team Cymru Community Services ] [ Team Cymru Commercial Services ] [ Dragon Research Group ]
Episode 106: Security Scripting, DDoS Tuning & Animations YouTube RSS Feed Twitter

Bogons via DNS

Be sure to check out the main Bogon Reference for more information on the project and terminology used, and why it is important to keep your bogon filters up-to-date.

We provide bogon tracking through DNS via several reversed-IP zones. These zones are queried by reversing the octets of an IPv4 address (or nibbles of an IPv6 address) and appending a zone name, much like reverse DNS (in-addr.arpa and ip6.arpa) and DNSBL queries.

If the IP address represented by a given query is a bogon, the response will be an A RR of 127.0.0.2. You may also query for a TXT RR, which will indicate the bogon prefix within which the given address resides (no TXT record will be present for non-bogon queries).

The available Bogon DNS zones are:

bogons.cymru.com
The traditional IPv4 bogon prefixes; Martian (reserved) prefixes plus those /8 networks not allocated to an RIR by IANA.
v4.fullbogons.cymru.com
IPv4 "fullbogons", encompassing the traditional IPv4 bogon prefixes from bogons.cymru.com as well as prefixes that have been allocated to RIRs but not yet assigned by those RIRs to ISPs, end-users, etc.
v6.fullbogons.cymru.com
IPv6 "fullbogons", all IPv6 prefixes that have not been allocated to RIRs and that have not been assigned by RIRs to ISPs, end-users, etc.

Examples

We can verify that 192.168.1.1 is part of a bogon prefix:

dig +short 1.1.168.192.bogons.cymru.com
127.0.0.2

We can verify that 10.0.0.0/8 is a bogon prefix:

dig +short 0.0.0.10.bogons.cymru.com
127.0.0.2

We can check the IPv4 fullbogons zone for 198.51.100.24, and check what prefix it is part of:

dig +short 24.100.51.198.v4.fullbogons.cymru.com.
127.0.0.2
dig +short 24.100.51.198.v4.fullbogons.cymru.com. TXT
"198.51.100.0/24"

We can check the IPv6 fullbogons zone for 2001:DB8:FEEB:DEEF::242, and see what prefix it is part of, but it won't be pretty because we have to expand out all of the zeroes to do it:

dig +short 2.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.f.e.e.d.b.e.e.f.8.b.d.0.1.0.0.2.v6.fullbogons.cymru.com.
127.0.0.2
dig +short 2.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.f.e.e.d.b.e.e.f.8.b.d.0.1.0.0.2.v6.fullbogons.cymru.com. TXT
"2001:db8::/29"

(Note that the prefix returned for the TXT query above will likely change in the future; the IPv6 documentation prefix is actually 2001:db8::/32, it is aggregated as a /29 in the IPv6 fullbogons feed because the immediately adjacent prefixes have not yet been assigned to any end-users.)

AXFR

Zone transfers of the entire bogons.cymru.com zone are permitted from ns1.cymru.com, ns2.cymru.com, and ns3.cymru.com. This can be accomplished with the following syntax:

dig @ns1.cymru.com. axfr bogons.cymru.com.
dig @ns2.cymru.com. axfr bogons.cymru.com.
dig @ns3.cymru.com. axfr bogons.cymru.com.

Zone transfers are not currently offered for the fullbogons.cymru.com zones.

Credits

Credit to John Payne for the idea of offering bogons via DNS!

Credit to Ed Vazquez for the idea of the zone transfer offering!


Team Cymru Community Services