There has been some impressive hoopla over the ZeuS DNS scraper I posted last week. There’s been even more chatter then I expected. I’ve received nothing but good feedback and have even gotten tweeted by Mikko Hyppönen and Lenny Zeltser, two people I have immense respect for. Anyway, I have continued messing around with the script, found and squashed a few bugs, and added a few features. So, now, I am releasing:
- zeusdnsscrape.pl – v0.3.4
All of the old flags should continue to work, and most of the changes are under the hood. There is, however, one major bug that was squashed: apparently the old version would never update the local copy of the ZeuS domain block list, even when it was supposed to. So, I would highly recommend everyone use this newer version. The big feature that has been added in this script is the ability to limit the rate of queries being fed to the DNS server. When I was running v0.3, I would occasionally run into problems where the script would stall for a bit, presumably when the DNS server didn’t respond fast enough. Worried that the sheer amount of queries may be overwhelming the server and also trying to make this as low-impact as possible for folks to run, I added he –rate flag in which you can specify how many queries per second the script should send.
So, if you wanted to run it at 30 queries per second:
perl zeusdnsscraper.pl --server 192.168.1.2 --server 192.168.1.3 --rate 30
If no rate is specified, the script currently defaults at 25 queries per second, which (I assume) most normal DNS servers should be able to easily handle without breaking a sweat.
Also, this might probably the last version of this tool in it current form. I currently have a new and improved version baking in the oven that expands the capabilities and dataset of the tool. I hope to have this out and released within the next week or so.