Something from Nothing (There): Collecting Global IPv6 Datasets from DNS

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10176)


Current large-scale IPv6 studies mostly rely on non-public datasets, as most public datasets are domain specific. For instance, traceroute-based datasets are biased toward network equipment. In this paper, we present a new methodology to collect IPv6 address datasets that does not require access to restricted network vantage points. We collect a new dataset spanning more than 5.8 million IPv6 addresses by exploiting DNS’ denial of existence semantics (NXDOMAIN). This paper documents our efforts in obtaining new datasets of allocated IPv6 addresses, so others can avoid the obstacles we encountered.


Covert Channel Border Gateway Protocol Content Delivery Network IPv6 Address Reverse Zone 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank the anonymous reviewers for their helpful feedback and suggestions, and Peter van Dijk for suggesting this research path to us. This material is based on research supported or sponsored by the Office of Naval Research (ONR) under Award No. N00014-15-1-2948, the Space and Naval Warfare Systems Command (SPAWAR) under Award No. N66001-13-2-4039, the National Science Foundation (NSF) under Award No. CNS-1408632, the Defense Advanced Research Projects Agency (DARPA) under agreement number FA8750-15-2-0084, a Security, Privacy and Anti-Abuse award from Google, SBA Research, the Bundesministerium für Bildung und Forschung (BMBF) under Award No. KIS1DSD032 (Project Enzevalos), a Leibniz Price project by the German Research Foundation (DFG) under Award No. FKZ FE 570/4-1. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The opinions, views, and conclusions contained herein are those of the author(s) and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of ONR, SPAWAR, NSF, DARPA, the U.S. Government, Google, SBA Research, BMBF, or DFG.


  1. 1.
    Atkins, D., Austein, R.: Threat Analysis of the Domain Name System (DNS). RFC3833Google Scholar
  2. 2.
    Bortzmeyer, S., Huque, S.: NXDOMAIN: There Really is Nothing Underneath. RFC8020Google Scholar
  3. 3.
    Chatzis, N., Smaragdakis, G., Böttger, J., Krenc, T., Feldmann, A.: On the benefits of using a large ixp as an internet vantage point. In: Proceedings of the ACM Internet Measurement Conference, pp. 333–346 (2013)Google Scholar
  4. 4.
    Czyz, J., Allman, M., Zhang, J., Iekel-Johnson, S., Osterweil, E., Bailey, M.: Measuring IPv6 adoption. Proc. ACM SIGCOMM 44(4), 87–98 (2014)CrossRefGoogle Scholar
  5. 5.
    Czyz, J., Luckie, M., Allman, M., Bailey, M.: Don’t forget to lock the back door! a characterization of ipv6 network security policy. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS), vol. 389 (2016)Google Scholar
  6. 6.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the USENIX Security Symposium, pp. 605–620 (2013)Google Scholar
  7. 7.
    Fiebig, T., Danisevskis, J., Piekarska, M.: A metric for the evaluation and comparison of keylogger performance. In: Proceedings of the USENIX Security Workshop on Cyber Security Experimentation and Test (CSET) (2014)Google Scholar
  8. 8.
    Foremski, P., Plonka, D., Berger, A.: Entropy/IP: uncovering structure in IPv6 addresses. In: Proceedings of the ACM Internet Measurement Conference (2016)Google Scholar
  9. 9.
    Gasser, O., Scheitle, Q., Gebhard, S., Carle, G.: Scanning the IPv6 internet: towards a comprehensive hitlist (2016)Google Scholar
  10. 10.
    Gont, F., Chown, T.: Network Reconnaissance in IPv6 Networks. RFC7707Google Scholar
  11. 11.
    Hinden, R., Deering, S.: IP Version 6 Addressing Architecture. RFC4291Google Scholar
  12. 12.
    Mockapetris, P.: Domain names - concepts and facilities. RFC1034Google Scholar
  13. 13.
    Mockapetris, P.: Domain names - implementation and specification. RFC1035Google Scholar
  14. 14.
    Nussbaum, L., Neyron, P., Richard, O.: On robust covert channels inside DNS. In: Proceedings of the International Information Security Conference (IFIP), pp. 51–62 (2009)Google Scholar
  15. 15.
    Plonka, D., Berger, A.: Temporal and spatial classification of active IPv6 addresses. In: Proceedings of the ACM Internet Measurement Conference, pp. 509–522. ACM (2015)Google Scholar
  16. 16.
    Richter, P., Smaragdakis, G., Plonka, D., Berger, A.: Beyond counting: new perspectives on the active IPv4 address space. In: Proceedings of the ACM Internet Measurement Conference (2016)Google Scholar
  17. 17.
    Ripe NCC: RIPE atlas.
  18. 18.
  19. 19.
    ShadowServer Foundation: The scannings will continue until the internet improves (2014).
  20. 20.
    University of Oregon: Route Views Project.
  21. 21.
    Vixie, P.A.: It’s time for an internet-wide recommitment to measurement: and here’s how we should do it. In: Proceedings of the International Workshop on Traffic Measurements for Cybersecurity (2016)Google Scholar
  22. 22.
    Zhang, B., Liu, R., Massey, D., Zhang, L.: Collecting the internet as-level topology. ACM Comput. Commun. Rev. 35(1), 53–61 (2005)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.TU BerlinBerlinGermany
  2. 2.UC Santa BarbaraSanta BarbaraUSA

Personalised recommendations