CycleHunter

• This code detects cyclic dependecies in DNS zones
• It takes as input DNS zone files
• First developed by @gmmoura and @seb-at-nzrs, from SIDN Labs and InternetNZ.
• Check cycleHunter.pdf to see more about its architecture and how it works

DISCLAIMER on Zone File Parser:

• We do not use any lib to parse the zone files because they don't scale well, and we just need NS records
• So depending if you're zone is tab or space separated, it may be the you'll have to ajust the line-by-line parser of largeZoneParser.py to your setup
• we already have two PR from folks with slightly different formatted zone files

To run it:

To analyze a full zone, you can use CycleHunter.py as below

python CycleHunter.py --zonefile <ZONEFILE> --origin <ORIGIN> --save-file <FILE_TO_SAVE_AFFECTED_DOMAINS> --workers <WORKERS>

Where

• ZONEFILE is the file with the zone you want to analyze
• ORIGIN is the zone represented by the ZONEFILE, for example, .COM or .NL
• FILE_TO_SAVE_AFFECTED_DOMAINS is a JSON file that in the end will have the list of domains affected by full cycles
• WORKERS is the number of parallel works that will use to send queries

If you'd like to do this by hand

CycleHunter.py wraps all the steps below, but if you still want to run them by hand, the process is:

1. Extract all NS records from the zone file

• python largeZoneParser.py $zonefile $TLD $output1
  • e.g: python3 largeZoneParser.py /var/cache/bind/com.zone .com com-nses.csv

2. Query these NSes, and output those that timeout into $output2

• python CyclicDetector.py $output1 $output2

3. Scrutinize each timed out NS, either parent or child, and see if which ones are really cyclic dependent into output3

• python findCyclicDep.py $output2 $output3

• Note: $output3 is a json file with 3 categories of dependency. fullDep is the one very bad, but the other two can quickily become fullDep

4. Get only the fully cyclic dependent ones from output3

• python fullDepParser.py $output3 $output4

output4 has the zones that are cyclic dependent. These are likely parent zones of NSes

5. Determine how many zones are affected by cyclic dependency

   • python zoneMacher.py $ouput4 $zoneFile $TLD $output5
   • Alternative version for com : zoneMatcher-com.py

output5 has all domains affected by cyclic dependency