Historic datasets (from 2014 onwards) for the .nl TLD. Datasets are available in JSON format.

Datasets cover information about:

• DNS
  • Domain Names
  • Query Type
  • Response Codes
  • IPv6 Support
• Resolvers
  • Location
  • Number of IP addresses
  • Validating Resolvers
  • Popular Networks
  • Port Randomness
• DNSSEC
  • Validating Queries
  • DANE
  • Used Algorithms
• Mail
  • Mail Resource Records (RRs)
  • SPF Information

APNIC gathers many statistics and offers them on their website. However, they provide way more data than it might initially look like, since many of the datasets are not linked from their main page.

• BGP announcements by region
• Customers by ASN
• DNSSEC validation rate by region
• IPv4 vs. IPv6 RTT Comparison by region
• IPv6 Customers by ASN
• IPv6 usage by region
• Statistics about their ad-based measurement system
• Use of open DNS resolver by region

Overview of datasets, monitors, and reports produced and organized by CAIDA. Also contains links to other datasets.

Cloudflare Radar is Cloudflare's reporting website about internet trends and general traffic statistics. The website shows information about observed attacks and attack types and links to the DDoS report. General traffic statistics are reported, such as the used browser, fraction of human traffic, IP, HTTP, and TLS version.

The website also provides more detailed information on domains and IP addresses. Domains have information about age, popularity, and visitors. IP addresses have ASN and geolocation information.

• https://radar.cloudflare.com/ip/134.96.0.0

More information about Cloudflare Radar is available in the introduction blog post.

The Radar data is also available via API, for example the attack data: https://developers.cloudflare.com/api/resources/radar/subresources/attacks/subresources/layer3/subresources/summary/

Collection of "bad" packets in PCAPs that can be used for testing software.

Provides an outdated list of different Cyber Thread Intelligence Feeds of other organizations.

The DNS Census 2013 consists of about 2.5 billion DNS records collected in 2012/2013. The data is gathered from some available zone files and passive or active DNS collecting. The DNS records are written into CSV files containing one DNS record per line.

DNS Coffee collects and archives stats from DNS Zone files in order to provide insights into the growth and changes in DNS over time.

The website includes information such as the size of different zones. It tracks over 1200 zone files.

It provides searching through the zones files based on domain names, name servers, or IP addresses. It can also visualize the relationship between a domain, the parent zones and the name server in what they call a "Trust Tree".

The DNS Core Census is an ICANN project to gather information about top-level-domains (TLDs). This covers ccTLDs, gTLDs, effective TLDs (like co.uk), and entries in arpa. The census contains information about the zone, like metadata and contractual information, about the name servers, about addresses of the name servers, and the route origins. The data is kept for a 35-day rolling window.

Further information about the project can be found in this presentation and OCTO-019 from ICANN's Chief Technology Officer

Tool to replay DNS queries captured in a PCAP file with accurate timing between queries. Allows modifying the replay, like changing IP addresses, speeding up or slowing down the queries.

DNS network capture utility. Similar in concept to tcpdump, but with specialized options for DNS.

This is an improvement on Paris traceroute and the classical traceroute. It can detect changing routes and detect NATs along the path.

The Entropy/IP algorithm allows for inspecting and generating IPv6 addresses. Entropy/IP can determine the entropy of different nibbles and the relationship between different components. Based on this analysis, it can also create valid-looking IPv6 addresses.

Flamethrower is a small, fast, configurable tool for functional testing, benchmarking, and stress testing DNS servers and networks. It supports IPv4, IPv6, UDP, TCP, DoT, and DoH and has a modular system for generating queries used in the tests.

This dataset contains the responses to DNS requests for all forward DNS names known by Rapid7's Project Sonar. Until early November 2017, all of these were for the 'ANY' record with a fallback A and AAAA request if necessary. After that, the ANY study represents only the responses to ANY requests, and dedicated studies were created for the A, AAAA, CNAME and TXT record lookups with appropriately named files.

The data is updated every month. Historic data can be downloaded after creating a free account.

Some Open DNS operators provide a way to return the IP address of the request packet.

Google DNS:

dig o-o.myaddr.l.google.com txt @ns1.google.com +short

OpenDNS:

dig myip.opendns.com @resolver1.opendns.com +short

Akamai:

$ dig +short TXT whoami.ds.akahelp.net
"ns" "2001:db8::abcd"
"ecs" "203.0.113.0/24/0"
"ip" "203.0.113.132" 

The ds stands for dual stack. It is also reachable under whoami.ipv6.akahelp.net to force IPv6 or whoami.ipv4.akahelp.net to force IPv4.

ns stands for the unicast IP address of the recursive resolver. ecs contains the EDNS client subnet information if the resolver uses the option. In this case, ip contains a representative IP within the ECS, not necessarily the IP of the client.

The new version is introduced in this blog post https://www.akamai.com/blog/developers/introducing-new-whoami-tool-dns-resolver-information.

The old version might be decommissioned:

dig whoami.akamai.net. @ns1-1.akamaitech.net. +short

addr.tools:

$ curl myip.addr.tools
2a02:810b:4540:9e84::c1a4

$ curl myipv4.addr.tools
95.91.221.165

$ curl myipv6.addr.tools
2a02:810b:4540:9e84::c1a4

$ curl myip.addr.tools/json
{"ip":"2a02:810b:4540:9e84::c1a4"}

Source

These websites have lists of abusive IP addresses. They can be checked with a web form, or some websites also provide a feed.

• https://www.abuseipdb.com/
• https://dshield.org/
• https://otx.alienvault.com/
• https://urlhaus.abuse.ch/feeds
• https://virustotal.com/

Historical dataset about IP to ASN mappings.

Historical dataset about IP to ASN mappings.

The IPv4 heatmap tool draws an image of active IPv4 addresses. The IP addresses are mapped to pixels using a Hilbert curve or a Z-curve. The image can be extended with annotations about the address space, for example, to show which regional internet registry is assigned to the address.

RIPE Report

Per continent, region, or country measurements of IPv6 deployment and preference. Allows to access historical data.

APNIC Report

Per continent, region, or country measurements of IPv6 deployment and preference.

https://www.net.in.tum.de/projects/gino/ipv6-hitlist.html

A curated list of IPv6 hosts, gathered by crawling different lists. Includes:

• Alexa domains
• Cisco Umbrella
• CAIDA DNS names
• Rapis7 DNS ANY and rDNS
• Various zone files

Access to the full list requires registration by email.

Based on the paper "Scanning the IPv6 Internet: Towards a Comprehensive Hitlist".

https://ipv6hitlist.github.io/

The website contains the additional material of the IMC paper Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists. The IPv6 addresses can be downloaded from the website. The website has three lists, responsive IPv6 addresses, aliased prefixes, and non-aliased prefixes. Additionally, the website also has a list of tools used during the data creation.

• THC IPv6 Attack Toolkit
  Different small tools to test different network conditions.
• SI6 Networks' Toolkit
  Different utilities for understanding and debugging IPv6 traffic.

These projects either operate DNS based Real-time Blackhole Lists (RBL) or allow checking if an IP is contained. The Multi-RBL websites are helpful in finding a large quantity of RBLs.

• https://multirbl.valli.org/
  • Contains hundreds of RBLs, including descriptions of them and their return values.
• http://www.anti-abuse.org/multi-rbl-check/
• https://dnsbllookup.com
• https://www.dnsbl.info
• https://www.spamhaus.org/
  • Operates different RBLs such as for spam, exploits, domains with bad reputation, do-no-route ("drop-all-traffic"), and known spam operators.

The mini internet project is part of the curriculum by the Networked Systems Group of ETH Zurich. It teaches the students the basic steps of how to create a mini internet. It starts with the basics of intra-network routing, by setting up multiple L2 switches. Then the students have to configure L3 routers to connect multiple L2 sites together. Lastly, in a big hackathon style, the students need to connect their local network with the network of the other students, by properly configuring BGP routers and setting up routing policies.

The code and the tasks are all available in the GitHub repository.

The APNIC Blog has a nice introduction to the project too.

Open INTEL is an active DNS database. It gathers information from public zone files, domain lists (Alexa, Umbrella), and reverse DNS entries. Once every 24 hours, data is collected about a bunch of DNS RRsets (SOA, NS, A, AAAA, MX, TXT, DNSKEY, DS, NSEC3, CAA, CDS, CDNSKEY). The data is openly available as AVRO files and dates back until 2016.

The data can be freely downloaded. There is documentation on the layout of the AVRO files.

The project is similar to Active DNS but seems to be larger in scope.

This is an improvement on the traditional traceroute program. It can detect multiple distinct routes and display them accordingly. The classical traceroute would produce weird results on changing network routes.

Another similar program is Dublin traceroute.

Passive DNS dataset from circl.lu.

Traceroutes can be difficult to understand. PathVis visualizes the network connections of your computer. It creates a tree of network nodes, with the root being the PathVis computer. The tree shows the paths to the other endpoints the computer is talking too.

The blog post introduces PathVis and explains the motivation behind it.

RIPE operates a set of probes, which can be used to send pings or similar measurements. The probes are mainly placed in Europe, but some are also in other continents.

All the collected measurements can be found in the RIPE Atlas Daily Archives. The blog post gives some more details.

Shodan performs regular scan on common ports.

Access is free, but requires registration. More results can be gained with a paid account.

The TLD Apex History is an ICANN project to gather DNSSEC related records for all TLDs.

Further information about the project can be found in this presentation.

Validin offers a free passive DNS search, but it requires an account. Free accounts accounts get access to 50 queries per month and four years worth of DNS history.

These services allow you to create a domain name for any IP address. The IP address is encoded into the domain name. An overview of different services can be found here.

Online Services

• https://nip.io/ provides IPv4 only

  • Supports both . and - separators.
  • 10.0.0.1.nip.io resolves to 10.0.0.1
  • 192-168-1-250.nip.io resolves to 192.168.1.250
  • customer1.app.10.0.0.1.nip.io resolves to 10.0.0.1
  • magic-127-0-0-1.nip.io resolves to 127.0.0.1

• https://sslip.io/ provides IPv4 and IPv6

  • Supports both . and - separators.
  • Provides the ability to use the service with your own branding.
  • 192.168.0.1.sslip.io resolves to 192.168.0.1
  • 192-168-1-250.sslip.io resolves to 192.168.1.250
  • www.192-168-0-1.sslip.io resolves to 192.168.0.1
  • –1.sslip.io resolves to ::1
  • 2a01-4f8-c17-b8f--2.sslip.io resolves to 2a01:4f8:c17:b8f::2

• https://ip.addr.tools/ provides IPv4 and IPv6

  • Supports both . and - separators.
  • 192.168.0.1.ip.addr.tools resolves to 192.168.0.1
  • 192-168-1-250.ip.addr.tools resolves to 192.168.1.250
  • www.192-168-0-1.ip.addr.tools resolves to 192.168.0.1
  • 2a01-4f8-c17-b8f--2.ip.addr.tools resolves to 2a01:4f8:c17:b8f::2

Self-hosted Options

• hipio is a Haskell service for IPv4.

Yarrp is an active network topology discovery tool. Its goal is to identify router interfaces and interconnections on internet scale. Conceptually, this is similar to running many traceroutes and stitching them together into one view. However, traceroutes are designed to understand the connection between two hosts and do not scale easily.

Different utilities for network scanning. Most importantly, the zmap component, which is a packet scanner for different protocols. It also contains other tools like ways to iterate over the IPv4 address space and denylist/allowlist management.

• https://challenges.addr.tools This is a helper tool for performing dns-01 ACME challenges. It serves the DNS validation and acts as a CNAME target.

• https://dyn.addr.tools Simple dynamic DNS server that can be used without an account.

• https://header-echo.addr.tools See the HTTP request headers. With URL parameters, the returned response can be customized.

• https://info.addr.tools Get information about IP addresses or domains.

  https://info.addr.tools/example.com
  https://info.addr.tools/1.1.1.1
  https://info.addr.tools/2606:4700:4700::1111
  https://info.addr.tools/me

• https://ip.addr.tools Return any IP address, e.g., 192-0-2-1.ip.addr.tools. Dynamic DNS updates for _acme-challenge are possible.

• https://myip.addr.tools Query your own IP address.

• https://www.dnscheck.tools/ Prints information about the currently used recursive DNS resolver and the DNSSEC implementation support.

• https://myaddr.tools Free dynamic DNS service.

dn42 is a big dynamic VPN. It employs various Internet technologies, such as BGP, whois, DNS, etc.

Users can experiment with technology, they normally would not use in a separated environment.

Mostly different hackerspaces participate in the dn42 network, such as different locations of the CCC.

DNS performance measurement tools.

A traceroute like tool, that detects where a path crosses an IXP.

zesplot is an IPv6 visualization tool. It turns a list of IP addresses into a picture, for example as a heatmap representation. It works based on squarified treemaps, since the IPv4 way of space-filling curves works poorly for such a sparse space.