Globbing is an advanced form of wildcard searches, more powerful than DNSDB’s Standard Search left-hand or right-hand wildcards, but not as advanced as Farsight Compatible Regular Expressions (FCRE). They can be simpler to write, especially for API users who are not familar with regular expressions.
In general, Farsight’s glob implementation follows standard Unix glob(7) semantics (see https://man.openbsd.org/glob.7), but not what’s sometimes referred to as “extended globbing.”
Glob searches are evaluated against the DNS master file form of the hostnames (aka rrnames) and rdata values, which by design contains only printable ASCII characters. All non-printable characters, including octets outside the ASCII range, are converted to “\DDD” escape sequences, where “DDD” is a three digit decimal number per RFC 1035 (https://tools.ietf.org/html/rfc1035). This is only applicable to RData (RHS) queries.
A glob is a string of printable characters with the following characters given special meaning:
*– Match any zero or more characters.
?– Match exactly any one character.
[– Begin a character class. Any of the contained characters or ranges will match.
]– End a character class.
\– Escape the next character (but not within a character class)
Any other characters in globbing pattern get matched exactly as written, except that characters are not case sensitive.
A character class is a set of characters enclosed between an opening
[ and a closing
]. A simple example is
[m-z1-3] to match characters m through z and 1 to 3.
Within the character class, the following characters are handled specially:
!– If the first character after the opening
[, denotes a negated character class, i.e. a class which matches any character not listed in the remainder of the class.
]– If the first character after the opening
[!, encodes a literal
]as a member of the class. A
]after the first character after the opening
[!ends the character class.
-– If the first character after the opening
[!or the last character before the closing
], encodes a literal
-as a member of the character class.
[= are not allowed between the opening
[! and the
], to prevent confusion with unsupported POSIX collation sequences and
If the sequence
[: appears in a character class, it must be the beginning of one of
the following POSIX character classes:
[:alnum:]– Alphanumeric characters 0-9, A-Z, and a-z
[:alpha:]– Alphabetic characters A-Z, a-z
[:blank:]– Blank characters (space and tab)
[:blank:]is equivalent to a space character.
\009and can be matched with
[:cntrl:]– Control characters
[:cntrl:]will not match any characters.
\DDDescape sequences sequences. To match one of those, you will need to backslash-quote the backslash. Thus to match
[:digit:]– Decimal digits 0-9
[:graph:]– Any printable character other than space.
[:graph:]is equivalent to
[! ](negated character class containing only a space).
[:lower:]– Lower case alphabetic characters a-z
[:lower:]is equivalent to
[:print:]– Any printable character
[:print:]will match any character.
[:punct:]– Punctuation characters (printable characters other than space and
[:space:]– Any whitespace character
[:upper:]– Upper case alphabetic characters A-Z
[:xdigit:]– Hexadecimal digits 0-9, a-f, A-F
The above named character classes must appear inside an enclosing
[[:digit:][:punct:]] to match a digit or punctuation
character. Without the enclosing braces,
[:digit:] will match the
Neither the above character classes nor a character range may begin or end a character
range. For example, the character class expressions
All other characters between the opening
[! and the closing
] are added
to the character class, including the backslash
There is no way to express a character class containing a single
., which must be accounted for in globs.
*.comwill not match any hostnames. A glob that searches in rrnames must end in something that matches a
*.com.would match what was intended.
", which should be accounted for in globs.
*smoke*in a rrnames search
*cider*in a rrnames search, with an exclude filter of
*www.*.com*in a rrnames search
www.*.com.in a rrnames search
"v=spf1 * ~all"in a rdata search
?.in an rrnames or rdata search
bri???morning*in a rrnames search
ns[0-9]*.net.in a rrnames search
Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.