Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

API & Integration, DevOps,NetOps,SecOps

Reply

PTR records for a large subnet
tngodncr
New Member
Posts: 2

a week ago

325     0

I have a need to identify and delete stale PTR records from certain subnets. The subnet could be a /24 or a /23 or even a /16. There are a fair amount of these networks and this involves a lot of PTR records. From what I have seen in the API documentation, I can only get PTR records for a certain IPv4 or IPv6 IP address (by passing in the ipv4addr / ipv6addr parameter). That would make it a LOT of API calls - one each for a GET and another for a DELETE (because I need to log them first before deleting).

 

I was hoping that I could pass in a network (ex. 66.241.0.0/16) that would give me all the PTRs that are present in that block of 65,536 addresses. How would I achieve my objective? Obviously, I do not want to iterate through each IP address and make WAPI calls for each.

Reply
0 Kudos

Re: PTR records for a large subnet
MattR
Moderator
Moderator
Posts: 306

Tuesday

326     0

This search will return each IP address in a subnet, along with the _ref for individual DNS records, for any IP address that has a PTR associated with it:

 

curl -k1 -u admin:infoblox -X GET 'https://192.168.1.2/wapi/v2.12/ipv4address?network=192.168.1.0/24&types=PTR'

The returned list will have entries like this, for each matching IP address:

 

    {
        "_ref": "ipv4address/Li5pcHY0X2FkZHJlc3MkMTAuOS4xNi4xOC8w:192.168.1.18",
        "ip_address": "192.168.1.18",
        "is_conflict": false,
        "mac_address": "",
        "names": [
            "dhcp-0018.example.net"
        ],
        "network": "192.168.1.0/24",
        "network_view": "default",
        "objects": [
            "record:a/ZG5zLmJpbmRfYSQuX2RlZmF1bHQubmV0d29yay5yaWNoYXJkLHdpbjEwLXZtLDEwLjkuMTYuMTg:dhcp-0018.example.net/Internal%20DNS",
            "record:ptr/ZG5zLmJpbmRfcHRyJC5fZGVmYXVsdC5hcnBhLmluLWFkZHIuMTAuOS4xNi4xOC5kaGNwLTAwMDAucmljaGFyZC5uZXR3b3Jr:18.1.168.192.in-addr.arpa/Internal%20DNS"
        ],
        "status": "USED",
        "types": [
            "A",
            "PTR"
        ],
        "usage": [
            "DNS"
        ]
    },

Then each PTR can be queried to find the attributes like creation time or hostname or whatever.

Reply

Re: PTR records for a large subnet
tngodncr
New Member
Posts: 2

Thursday

326     0

Matt, 

Thank you so much!  That works in identifying all the PTRs for a whole network although it doesn't give me the details of the PTRs themselves.  For the details I have to actually do another query which will result in a lot of API calls.  But, if I just want to identify the PTRs and get the references, this is a great way.  Thanks.

 

Just FYI, I was able to figure out another way to get a list of all PTRs and all the details by querying on their zones. In my case, most of the networks are /24 and I have reverse zones for those /24 networks.  So, I was able to run this API call for a network 131.241.0.0/24 whose reverse zone would be 0.241.131.in-addr.arpa 

curl -k1 -u admin:infoblox -X GET 'https://myInfobloxurl/wapi/2.12/record:ptr?_return_fields%2B=extattrs,comment,ipv4addr,dns_name,name,ptrdname,zone,view&zone=0.241.131.in-addr.arpa'

And get back results like this.  All PTRs for this 131.241.0.0/24 network and all their details.

[
  {
   "_ref": "record:ptr/ZG5zLmJpbmRfcHRyJC5fZGVmYXVsdC5hcnBhLmluLWFkZHIuMTMxLjI0MS4wLjMuYmItcml2ZXJib2F0cy1kZWxldGUtbWUuZHluYW1pYy5mdXNlLm5ldA:3.0.241.131.in-addr.arpa/default",
   "comment": "Testing newbloxlab - Creating a PTR 1 on specific IP through WAPI for testing",
   "dns_name": "3.0.241.131.in-addr.arpa",
   "ipv4addr": "131.241.0.3",
   "name": "3.0.241.131.in-addr.arpa",
   "ptrdname": "test-company1-delete-me.static.mycompany.net",
   "view": "default",
   "zone": "0.241.131.in-addr.arpa"
  },
  {
    "_ref": "record:ptr/ZG5zLmJpbmRfcHRyJC5fZGVmYXVsdC5hcnBhLmluLWFkZHIuMTMxLjI0MS4wLjIuYmItcml2ZXJib2F0cy1kZWxldGUtbWUuZHluYW1pYy5mdXNlLm5ldA:2.0.241.131.in-addr.arpa/default",
    "comment": "Testing newbloxlab - Creating a PTR 2 on specific IP through WAPI for testing",
    "dns_name": "2.0.241.131.in-addr.arpa",
    "ipv4addr": "131.241.0.2",
    "name": "2.0.241.131.in-addr.arpa",
    "ptrdname": "test-company2-delete-me.static.mycompany.net",
    "view": "default",
    "zone": "0.241.131.in-addr.arpa"
  },
  {
    "_ref": "record:ptr/ZG5zLmJpbmRfcHRyJC5fZGVmYXVsdC5hcnBhLmluLWFkZHIuMTMxLjI0MS4wLjQuYmItcml2ZXJib2F0cy1kZWxldGUtbWUuZHluYW1pYy5mdXNlLm5ldA:4.0.241.131.in-addr.arpa/default",
    "comment": "Testing newbloxlab - Creating a PTR 3 on specific IP through WAPI for testing",
    "dns_name": "4.0.241.131.in-addr.arpa",
    "ipv4addr": "131.241.0.4",
    "name": "4.0.241.131.in-addr.arpa",
    "ptrdname": "test-company3-delete-me.static.mycompany.net",
    "view": "default",
    "zone": "0.241.131.in-addr.arpa"
  }
]




Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements