Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

API Examples

Reply

Using WAPI to access PTR records

Guru
Posts: 26
2226     0

I'm writing some python code to scan thru my DNS to identify potentially stale records.

I'm able to parse thru pretty much every record type I'm interested in with one exception: PTRs.

In DNS parlance, the PTRs exist only in the various in-addr.arpa zones, and I have around 15 of those.  In the GUI, I can find these records no problem, but I cannot seem to find them in via the WAPI.

 

My general goal is to find any eliminate any stale PTR records, as users are notorious for not deleting a PTR record when they delete an A record. Scavanging only supports deleting 2000 records in a SmartFolder, and we have many zones so that's not a very efficient method of getting caught up.  Once we purge a lot of these historical stale records, we'll likely use scavenging going forward.

 

The general methodology I'm using is as follows:

1) perform a GET to find all of the authoritative zones in a given DNS view.

2) For each zone, performs paginated GETs to find the record type I'm seeking.

 

My GET for the auth zones returns a dict that has ~80 zones.  The GUI shows me 29 auth zones.  Some of the zones are say, fubar.com, and others are like 10.0.0.0/8, which I have assumed corresponds with 10.in-addr.arpa.  I'm using the fqdn field in the zone_auth object to identify the zone.

 

The discrepancy in the number of records appears to be the WAPI returns the subzones for the various in-addr.arpa zones.  As an example, my 10.in-addr.arpa zone has 44 /24s defined individually.  It does not return subdomain.fuber.com, however.  I suppose I need to find a means of finding subdomains such as this going forward, but that is not my main question,

If I look in the GUI, one of my Class B in-addr.arpa zones has around 2800 PTR records and 5400 Host records.  If I export the Host Records, I see 5400 hostrecord and 5400 host address records.

 

In playing around, I have noticed that I can retrieve the PTR records with the allrecords object, but this method does not allow me to retrieve the creation_time or last_queried fields, which I can retrieve for most other records using a GET for record:XXX objects.

 

When I look via the WAPI, I get none

 

Re: Using WAPI to access PTR records

[ Edited ]
Superuser
Posts: 38
2227     0

Hi,

 

You can use the "record:ptr" object to retrieve PTR records.

The basic version of the object contains the following fields: ptrdname, view.

curl -L -X GET 'https://<grid>/wapi/v2.11/record:ptr

By using the _schema the request will do a schema fetch for the object.

curl -L -X GET 'https://<grid>/wapi/v2.11/record:ptr?_schema'

The readable fields can then be requested by using _return_fields.

So in your case you can add creation_time and last_queried after appending _return_fields to your get query

curl -L -X GET 'https://<grid>/wapi/v2.11/record:ptr?_return_fields%2b=creation_time,last_queried,zone'

 

Shukran

Shukran

Re: Using WAPI to access PTR records

Guru
Posts: 26
2227     0
I believe you mean "recordSmiley Tonguetr", and not "recordtr".

That being said, I need a means of getting all of the records in a particular zone, (in this case an in-addr.arpa space).

My issue is that when I retrieve a zone_auth, for an in-addr.zrpa zone I'll see a record like "10.0.0.0/8". If I attempt to search for recordSmiley Tonguetr objects in this zone, I have to use the traditional "10.in-addr.arpa" format. As I have a number of smaller in-addr.arpa subzones inside larger in-addr-arpa zones, this is not easily done unless I can somehow transform every valid CIDR block reference to a valid in-addr.arpa

I probably have 100,000 PTRs to worry about, and my guess is that 70% of them are stale static orphans. Scavenging only appears to handle 2,000 stale records at a time, so I'm trying some other way of doing this.

So it looks like I can retrieve all of the zone_auth objects and the for the objects that have an address field, convert these fields to an in-addr.arpa format string, an then perform a lookup.

So the task becomes:


1. GET all zone_auth objects for a DNS View, specifically returning address field
2. If zone_auth object has an address field, convert the address

i. X.0.0.0 -->X.in-addr.arpa

ii. X.Y.0.0 --> 0.Y.X.in-addr.arpa

iii. X.Y.Z.0 --> Z.Y.X.in-addr.arpa

1. Use output from 2) to perform GET of recordSmiley Tonguetr?zone=
2. Process that set of records accordingly.


David E. Fitzgerald
Lead Network Engineer
R115 - Network Services
Office: 781-271-2889
Cell: 617-216-4149
fitz@mitre.org

[cid:image001.jpg@01D86140.D56077E0][cid:image002.jpg@01D86140.D56077E0][cid:image003.jpg@01D86140.D56077E0][cid:image004.jpg@01D86140.D56077E0][cid:image005.jpg@01D86140.D56077E0]
[cid:image006.png@01D86140.D56077E0]

Re: Using WAPI to access PTR records

Superuser
Posts: 38
2227     0

Hi David,

 

You could use display_domain field in zone_auth, it will give you the converted address.

Also you could put a filter on zone_format (FORWARD, IPV4, or IPV6) while querying zone_auth.

 

curl -L -X GET 'https://<grid-ip>/wapi/v2.12/zone_auth?zone_format=IPV4&_return_fields%2B=dns_fqdn,display_domain'

 

You could then use the dislpay_domain as the value for zone in record:ptr query, so you wont have to check for address field and convert it to an in-addr.arpa format string to perform a lookup.

 

Let me know if this helps.

 

Shukran

 

Shukran
Showing results for 
Search instead for 
Did you mean: 

Recommended for You