Using WAPI to access PTR records

fitzie · ‎05-04-2022

I'm writing some python code to scan thru my DNS to identify potentially stale records.

I'm able to parse thru pretty much every record type I'm interested in with one exception: PTRs.

In DNS parlance, the PTRs exist only in the various in-addr.arpa zones, and I have around 15 of those. In the GUI, I can find these records no problem, but I cannot seem to find them in via the WAPI.

My general goal is to find any eliminate any stale PTR records, as users are notorious for not deleting a PTR record when they delete an A record. Scavanging only supports deleting 2000 records in a SmartFolder, and we have many zones so that's not a very efficient method of getting caught up. Once we purge a lot of these historical stale records, we'll likely use scavenging going forward.

The general methodology I'm using is as follows:

1) perform a GET to find all of the authoritative zones in a given DNS view.

2) For each zone, performs paginated GETs to find the record type I'm seeking.

My GET for the auth zones returns a dict that has ~80 zones. The GUI shows me 29 auth zones. Some of the zones are say, fubar.com, and others are like 10.0.0.0/8, which I have assumed corresponds with 10.in-addr.arpa. I'm using the fqdn field in the zone_auth object to identify the zone.

The discrepancy in the number of records appears to be the WAPI returns the subzones for the various in-addr.arpa zones. As an example, my 10.in-addr.arpa zone has 44 /24s defined individually. It does not return subdomain.fuber.com, however. I suppose I need to find a means of finding subdomains such as this going forward, but that is not my main question,

If I look in the GUI, one of my Class B in-addr.arpa zones has around 2800 PTR records and 5400 Host records. If I export the Host Records, I see 5400 hostrecord and 5400 host address records.

In playing around, I have noticed that I can retrieve the PTR records with the allrecords object, but this method does not allow me to retrieve the creation_time or last_queried fields, which I can retrieve for most other records using a GET for record:XXX objects.

When I look via the WAPI, I get none

shukran · ‎05-06-2022

Hi,

You can use the "record:ptr" object to retrieve PTR records.

The basic version of the object contains the following fields: ptrdname, view.

curl -L -X GET 'https://<grid>/wapi/v2.11/record:ptr

By using the _schema the request will do a schema fetch for the object.

curl -L -X GET 'https://<grid>/wapi/v2.11/record:ptr?_schema'

The readable fields can then be requested by using _return_fields.

So in your case you can add creation_time and last_queried after appending _return_fields to your get query

curl -L -X GET 'https://<grid>/wapi/v2.11/record:ptr?_return_fields%2b=creation_time,last_queried,zone'

Shukran

fitzie · ‎05-06-2022

I believe you mean "record

tr", and not "recordtr".

That being said, I need a means of getting all of the records in a particular zone, (in this case an in-addr.arpa space).

My issue is that when I retrieve a zone_auth, for an in-addr.zrpa zone I'll see a record like "10.0.0.0/8". If I attempt to search for record

tr objects in this zone, I have to use the traditional "10.in-addr.arpa" format. As I have a number of smaller in-addr.arpa subzones inside larger in-addr-arpa zones, this is not easily done unless I can somehow transform every valid CIDR block reference to a valid in-addr.arpa

I probably have 100,000 PTRs to worry about, and my guess is that 70% of them are stale static orphans. Scavenging only appears to handle 2,000 stale records at a time, so I'm trying some other way of doing this.

So it looks like I can retrieve all of the zone_auth objects and the for the objects that have an address field, convert these fields to an in-addr.arpa format string, an then perform a lookup.

So the task becomes:

1. GET all zone_auth objects for a DNS View, specifically returning address field
2. If zone_auth object has an address field, convert the address

i. X.0.0.0 -->X.in-addr.arpa

ii. X.Y.0.0 --> 0.Y.X.in-addr.arpa

iii. X.Y.Z.0 --> Z.Y.X.in-addr.arpa

1. Use output from 2) to perform GET of record

tr?zone=
2. Process that set of records accordingly.

David E. Fitzgerald
Lead Network Engineer
R115 - Network Services
Office: 781-271-2889
Cell: 617-216-4149
fitz@mitre.org

[cid:image001.jpg@01D86140.D56077E0][cid:image002.jpg@01D86140.D56077E0][cid:image003.jpg@01D86140.D56077E0][cid:image004.jpg@01D86140.D56077E0][cid:image005.jpg@01D86140.D56077E0]
[cid:image006.png@01D86140.D56077E0]

shukran · ‎05-09-2022

Hi David,

You could use display_domain field in zone_auth, it will give you the converted address.

Also you could put a filter on zone_format (FORWARD, IPV4, or IPV6) while querying zone_auth.

curl -L -X GET 'https://<grid-ip>/wapi/v2.12/zone_auth?zone_format=IPV4&_return_fields%2B=dns_fqdn,display_domain'

You could then use the dislpay_domain as the value for zone in record:ptr query, so you wont have to check for address field and convert it to an in-addr.arpa format string to perform a lookup.

Let me know if this helps.

Shukran

API Examples

Using WAPI to access PTR records

Re: Using WAPI to access PTR records

Re: Using WAPI to access PTR records

Re: Using WAPI to access PTR records