# Characterizing DNS Censorship in Venezuela with OONI

In [1]:
%load_ext autoreload
%autoreload 2

In [2]:
import datetime as dt
from pprint import pprint
import sys
from typing import Iterable, NamedTuple, Tuple, Union
from urllib.parse import urlparse

import pandas as pd
import IPython.display as idisplay
import ipywidgets as widgets

try:
    import netanalysis
except ModuleNotFoundError:
    !{sys.executable} -m ensurepip
    !{sys.executable} -m pip install --upgrade git+https://github.com/Jigsaw-Code/net-analysis.git

import netanalysis.ooni.bucket as ob
import netanalysis.ooni.analysis.dns as od
from netanalysis.ooni.measurement import Measurement

## Fetch and save measurement data

In [4]:
import pathlib

COUNTRY = 'VE'
# Save data under /kaggle/working/ooni_data in Kaggle or ~HOME/ooni_data otherwise 
DATA_DIR = pathlib.Path('/kaggle/working')
if not DATA_DIR.is_dir():
    DATA_DIR = pathlib.Path.home()
DATA_DIR /= 'ooni_data'
local_measurements = ob.LocalMeasurements(DATA_DIR)

In [5]:
%%time
LAST_DATE = dt.date.today()
FIRST_DATE = dt.date.today() - dt.timedelta(days=14)
bytes, cost = ob.sync_measurements(local_measurements, ob.Bucket().list_files(FIRST_DATE, LAST_DATE, None, COUNTRY), cost_usd_limit=1.00)
print(f'Download size: {bytes/2**30:0.6f} GiB\nEstimated Cost: ${cost:02f}')

ectivity/2021051905_VE_webconnectivity.n0.24.jsonl.gz [1,868,027 bytes]
Downloaded 20210519/04/VE/webconnectivity/2021051904_VE_webconnectivity.n0.0.jsonl.gz [3,764,474 bytes]
Downloaded 20210519/06/VE/tor/2021051906_VE_tor.n0.0.jsonl.gz [6,990 bytes]
Downloaded 20210519/03/VE/webconnectivity/2021051903_VE_webconnectivity.n0.7.jsonl.gz [3,388,185 bytes]
Downloaded 20210519/04/VE/webconnectivity/2021051904_VE_webconnectivity.n0.8.jsonl.gz [3,546,944 bytes]
Downloaded 20210519/05/VE/webconnectivity/2021051905_VE_webconnectivity.n0.2.jsonl.gz [3,367,102 bytes]
Downloaded 20210519/04/VE/webconnectivity/2021051904_VE_webconnectivity.n0.14.jsonl.gz [3,658,442 bytes]
Downloaded 20210519/03/VE/webconnectivity/2021051903_VE_webconnectivity.n0.8.jsonl.gz [3,502,184 bytes]
Downloaded 20210519/05/VE/webconnectivity/2021051905_VE_webconnectivity.n0.1.jsonl.gz [3,454,343 bytes]
Downloaded 20210519/04/VE/webconnectivity/2021051904_VE_webconnectivity.n0.13.jsonl.gz [3,575,881 bytes]
Downloaded 2021051

NameError: name 'total_time' is not defined

In [7]:
print(f'Download size: {bytes/2**30:0.6f} GiB\nEstimated Cost: ${cost:02f}')

Download size: 7.511285 GiB
Estimated Cost: $0.676016


In [8]:
!(cd $DATA_DIR; du -d 2 -h)

 28K	./US/sniblocking
 36K	./US/example
660K	./US/facebookmessenger
1.4M	./US/httpinvalidrequestline
 75M	./US/webconnectivity
136K	./US/meekfrontedrequeststest
764K	./US/psiphon
6.3M	./US/tor
1.4M	./US/telegram
728K	./US/dash
872K	./US/tcpconnect
5.2M	./US/ndt
636K	./US/httpheaderfieldmanipulation
2.2M	./US/whatsapp
128K	./US/vanillator
 96M	./US
244K	./BY/facebookmessenger
356K	./BY/httpinvalidrequestline
 18M	./BY/webconnectivity
228K	./BY/psiphon
280K	./BY/tor
292K	./BY/telegram
208K	./BY/dash
1.3M	./BY/ndt
184K	./BY/httpheaderfieldmanipulation
440K	./BY/whatsapp
 22M	./BY
208K	./IR/facebookmessenger
180K	./IR/httpinvalidrequestline
4.1M	./IR/webconnectivity
 12K	./IR/meekfrontedrequeststest
200K	./IR/psiphon
532K	./IR/tor
216K	./IR/telegram
156K	./IR/dash
 44K	./IR/tcpconnect
612K	./IR/urlgetter
1016K	./IR/ndt
180K	./IR/httpheaderfieldmanipulation
456K	./IR/whatsapp
 12K	./IR/vanillator
4.0K	./IR/riseupvpn
7.9M	./IR
472K	./VE/facebookmessenger
528K	./VE/httpinvalidrequestline
448M

# DNS Analysis

In [41]:
%%time
import ipaddress
def is_ip(hostname):
    try:
        ipaddress.ip_address(domain)
        return True
    except ValueError:
        return False

domains = od.DomainRepository()
evaluator: od.Evaluator = od.Evaluator(domains)
rows = []
for measurement in local_measurements.get_measurements(COUNTRY, 'webconnectivity'):
    m = Measurement(measurement)
    if m.time.date() < FIRST_DATE or m.time.date() > LAST_DATE:
        continue
    domain = m.hostname
    if is_ip(domain):
        continue
    evaluator.add_control(m)
    try:
        obs = od.get_observations(domains, m)
    except:
        print(f'Failed on measurement for domain {domain}: {m.explorer_url}')
        raise        
    rows.extend(o._asdict() for o in obs)

CPU times: user 2min 54s, sys: 4.49 s, total: 2min 59s
Wall time: 3min 3s


In [42]:
# domains_to_lookup = set()
for row in rows:
    row['resolver_ip_str'] = str(row.get('resolver_ip'))
    evaluation = evaluator.evaluate(row['domain'], row['status'], row['answers'])
    row['eval'] = evaluation
    row['has_interference'] = 1 if evaluation.startswith('BAD') else 0
    # if evaluation == 'INCONCLUSIVE_CHECK_IPS':
    #     domains_to_lookup.add(row['domain'])

# for domain_name in domains_to_lookup:
#     try:
#         path = od.resolve(domains, domain_name)
#         print(f'{domain_name}: {path}')
#         domains.get(domain_name).add_path(path)
#     except Exception as e:
#         print(f'{domain_name}: {e}')
#         pass

# for row in rows:
#     if evaluation != 'INCONCLUSIVE_CHECK_IPS':
#         continue
#     evaluation = evaluator.evaluate(row['domain'], row['status'], row['answers'])
#     if evaluation != row['eval']:
#         row['eval'] = evaluation
#         row['has_interference'] = 1 if evaluation.startswith('BAD') else 0
#         print(f'Updated {row}')

obs = pd.DataFrame.from_records(rows).sort_values(by='time', ascending=False)
del(rows)
obs

Unnamed: 0,time,client_country,client_asn,resolver_ip,resolver_asn,domain,query_type,failure,status,answers,explorer_url,resolver_ip_str,eval,has_interference
70162,2021-05-19 17:01:43+00:00,VE,8048,201.249.172.70,8048,docs.google.com,AAAA,,OK,"([], [2607:f8b0:4008:807::200e])",https://explorer.ooni.org/measurement/20210519...,201.249.172.70,INCONCLUSIVE_CHECK_IPS,0
70161,2021-05-19 17:01:43+00:00,VE,8048,201.249.172.70,8048,docs.google.com,A,,OK,"([], [172.217.1.110])",https://explorer.ooni.org/measurement/20210519...,201.249.172.70,INCONCLUSIVE_CHECK_IPS,0
70292,2021-05-19 17:01:28+00:00,VE,8048,201.249.172.70,8048,docs.google.com,A,,OK,"([], [172.217.3.142])",https://explorer.ooni.org/measurement/20210519...,201.249.172.70,INCONCLUSIVE_CHECK_IPS,0
70293,2021-05-19 17:01:28+00:00,VE,8048,201.249.172.70,8048,docs.google.com,AAAA,,OK,"([], [2607:f8b0:4008:80d::200e])",https://explorer.ooni.org/measurement/20210519...,201.249.172.70,INCONCLUSIVE_CHECK_IPS,0
70158,2021-05-19 17:01:13+00:00,VE,8048,201.249.172.70,8048,drive.google.com,AAAA,,OK,"([], [2607:f8b0:4008:80d::200e])",https://explorer.ooni.org/measurement/20210519...,201.249.172.70,INCONCLUSIVE_CHECK_IPS,0
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
19226,2021-05-05 01:00:06+00:00,VE,6306,200.35.65.54,6306,venezuelaaldia.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210505...,200.35.65.54,BAD_STATUS_NXDOMAIN,1
19225,2021-05-05 01:00:06+00:00,VE,6306,200.35.65.54,6306,venezuelaaldia.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210505...,200.35.65.54,BAD_STATUS_NXDOMAIN,1
19235,2021-05-05 01:00:06+00:00,VE,21826,74.125.185.71,15169,www.cinco8.com,A,,OK,"([], [104.196.252.123])",https://explorer.ooni.org/measurement/20210505...,74.125.185.71,OK_MATCHES_CONTROL,0
19229,2021-05-05 01:00:05+00:00,VE,8048,201.249.172.72,8048,venezuelaaldia.com,A,,OK,"([], [172.67.156.67, 104.21.7.197])",https://explorer.ooni.org/measurement/20210505...,201.249.172.72,OK_MATCHES_CONTROL,0


In [71]:
with pd.option_context('display.max_colwidth', 300, 'display.max_rows', 300):
  display(obs[(obs['has_interference'] == 1) & (obs['eval'] != 'BAD_STATUS_generic_timeout_error')].groupby(by=['client_asn', 'resolver_asn', 'eval']).sum()) #.sort_values(by='has_interference', ascending=False)

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,has_interference
client_asn,resolver_asn,eval,Unnamed: 3_level_1
6306,6306,BAD_STATUS_NXDOMAIN,3804
8048,8048,BAD_STATUS_NXDOMAIN,176
8048,8048,BAD_STATUS_SERVFAIL,9394
8048,8048,BAD_STATUS_connection_refused,22
8048,8048,BAD_STATUS_unknown_failure: lookup [DOMAIN] on [scrubbed]: lame referral,8
11562,15169,BAD_NON_GLOBAL_IP,75
11562,15169,BAD_STATUS_NXDOMAIN,1336
11562,15169,BAD_STATUS_SERVFAIL,560
21826,15169,BAD_NON_GLOBAL_IP,3156
21826,15169,BAD_STATUS_NXDOMAIN,44


In [64]:
with pd.option_context('display.max_colwidth', 300, 'display.max_rows', 300):
  display(obs[(obs['has_interference'] == 1) & (obs['eval'] != 'BAD_STATUS_generic_timeout_error')].groupby(by=['client_asn', 'resolver_asn', 'resolver_ip_str', 'eval']).sum()) #.sort_values(by='has_interference', ascending=False)

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,has_interference
client_asn,resolver_asn,resolver_ip_str,eval,Unnamed: 4_level_1
6306,6306,200.35.65.54,BAD_STATUS_NXDOMAIN,3804
8048,8048,201.249.172.70,BAD_STATUS_NXDOMAIN,18
8048,8048,201.249.172.70,BAD_STATUS_SERVFAIL,944
8048,8048,201.249.172.70,BAD_STATUS_unknown_failure: lookup [DOMAIN] on [scrubbed]: lame referral,2
8048,8048,201.249.172.71,BAD_STATUS_NXDOMAIN,8
8048,8048,201.249.172.71,BAD_STATUS_SERVFAIL,680
8048,8048,201.249.172.72,BAD_STATUS_NXDOMAIN,26
8048,8048,201.249.172.72,BAD_STATUS_SERVFAIL,1322
8048,8048,201.249.172.74,BAD_STATUS_NXDOMAIN,28
8048,8048,201.249.172.74,BAD_STATUS_SERVFAIL,1466


In [70]:
with pd.option_context('display.max_colwidth', 300, 'display.max_rows', 300):
  display(obs[(obs['resolver_asn'] == 15169) & (obs['has_interference'] == 1) & (obs['eval'] != 'BAD_STATUS_generic_timeout_error')].groupby(by=['client_asn', 'resolver_asn', 'domain', 'eval']).sum().head(300)) #.sort_values(by='has_interference', ascending=False)

Unnamed: 0_level_0,Unnamed: 1_level_0,Unnamed: 2_level_0,Unnamed: 3_level_0,has_interference
client_asn,resolver_asn,domain,eval,Unnamed: 4_level_1
11562,15169,aguacateverde1.blogspot.com,BAD_STATUS_SERVFAIL,30
11562,15169,albertonews.com,BAD_STATUS_NXDOMAIN,30
11562,15169,alekboyd.blogspot.co.uk,BAD_STATUS_SERVFAIL,32
11562,15169,alekboyd.blogspot.com,BAD_STATUS_SERVFAIL,30
11562,15169,alnavio.com,BAD_STATUS_NXDOMAIN,30
11562,15169,analisis24.com,BAD_NON_GLOBAL_IP,15
11562,15169,anonymouse.org,BAD_STATUS_SERVFAIL,30
11562,15169,caracashosting.com,BAD_STATUS_SERVFAIL,2
11562,15169,diariolaregion.net,BAD_STATUS_NXDOMAIN,2
11562,15169,dolar-permuta.com,BAD_STATUS_SERVFAIL,28


In [50]:
with pd.option_context('display.max_colwidth', 300, 'display.max_rows', 100):
  display(obs[(obs['client_asn'] == 8048) & (obs['resolver_ip_str'] == '201.249.172.72') & (obs['eval'] == 'BAD_STATUS_NXDOMAIN')])

Unnamed: 0,time,client_country,client_asn,resolver_ip,resolver_asn,domain,query_type,failure,status,answers,explorer_url,resolver_ip_str,eval,has_interference
287041,2021-05-18 08:25:29+00:00,VE,8048,201.249.172.72,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210518T105159Z_webconnectivity_VE_8048_n1_RzI0tWKaACk47los?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
287042,2021-05-18 08:25:29+00:00,VE,8048,201.249.172.72,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210518T105159Z_webconnectivity_VE_8048_n1_RzI0tWKaACk47los?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
302806,2021-05-18 07:19:34+00:00,VE,8048,201.249.172.72,8048,www.change.org,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210518T105159Z_webconnectivity_VE_8048_n1_RzI0tWKaACk47los?input=https%3A%2F%2Fwww.change.org%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
302807,2021-05-18 07:19:34+00:00,VE,8048,201.249.172.72,8048,www.change.org,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210518T105159Z_webconnectivity_VE_8048_n1_RzI0tWKaACk47los?input=https%3A%2F%2Fwww.change.org%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
321657,2021-05-18 05:48:49+00:00,VE,8048,201.249.172.72,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210518T082727Z_webconnectivity_VE_8048_n1_NZefNkTvVRX2q4Fq?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
321658,2021-05-18 05:48:49+00:00,VE,8048,201.249.172.72,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210518T082727Z_webconnectivity_VE_8048_n1_NZefNkTvVRX2q4Fq?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
254828,2021-05-16 06:27:18+00:00,VE,8048,201.249.172.72,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210516T030018Z_webconnectivity_VE_8048_n1_ezd3psJZHs95xqVv?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
254827,2021-05-16 06:27:18+00:00,VE,8048,201.249.172.72,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210516T030018Z_webconnectivity_VE_8048_n1_ezd3psJZHs95xqVv?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
591900,2021-05-14 08:39:07+00:00,VE,8048,201.249.172.72,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210514T104921Z_webconnectivity_VE_8048_n1_VdNEUO5EB8XAnooQ?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1
591901,2021-05-14 08:39:07+00:00,VE,8048,201.249.172.72,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210514T104921Z_webconnectivity_VE_8048_n1_VdNEUO5EB8XAnooQ?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.72,BAD_STATUS_NXDOMAIN,1


In [51]:
[e for e in evaluator._errors if e[0] == 'quelacreo.com']

[('quelacreo.com', 'OK')]

In [58]:
with pd.option_context('display.max_colwidth', 300, 'display.max_rows', 150):
    display(obs[(obs['domain'] == 'quelacreo.com') & (obs['client_asn'] == 8048)])

Unnamed: 0,time,client_country,client_asn,resolver_ip,resolver_asn,domain,query_type,failure,status,answers,explorer_url,resolver_ip_str,eval,has_interference
72185,2021-05-19 09:20:46+00:00,VE,8048,201.249.172.76,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T051939Z_webconnectivity_VE_8048_n1_R8VVytp9jQ1oKtyl?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.76,BAD_STATUS_NXDOMAIN,1
72186,2021-05-19 09:20:46+00:00,VE,8048,201.249.172.76,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T051939Z_webconnectivity_VE_8048_n1_R8VVytp9jQ1oKtyl?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.76,BAD_STATUS_NXDOMAIN,1
71686,2021-05-19 08:29:46+00:00,VE,8048,201.249.172.74,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T062327Z_webconnectivity_VE_8048_n1_lEshG04TAbA0Do3j?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.74,BAD_STATUS_NXDOMAIN,1
71687,2021-05-19 08:29:46+00:00,VE,8048,201.249.172.74,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T062327Z_webconnectivity_VE_8048_n1_lEshG04TAbA0Do3j?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.74,BAD_STATUS_NXDOMAIN,1
64662,2021-05-19 08:11:10+00:00,VE,8048,201.249.172.71,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T111518Z_webconnectivity_VE_8048_n1_R30DugQkUzQuhIth?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.71,BAD_STATUS_NXDOMAIN,1
64661,2021-05-19 08:11:10+00:00,VE,8048,201.249.172.71,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T111518Z_webconnectivity_VE_8048_n1_R30DugQkUzQuhIth?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.71,BAD_STATUS_NXDOMAIN,1
47759,2021-05-19 06:58:55+00:00,VE,8048,201.249.172.76,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T030025Z_webconnectivity_VE_8048_n1_ujkbTyRkD3PWrT8y?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.76,BAD_STATUS_NXDOMAIN,1
47758,2021-05-19 06:58:55+00:00,VE,8048,201.249.172.76,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T030025Z_webconnectivity_VE_8048_n1_ujkbTyRkD3PWrT8y?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.76,BAD_STATUS_NXDOMAIN,1
53643,2021-05-19 05:54:51+00:00,VE,8048,201.249.172.75,8048,quelacreo.com,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T090056Z_webconnectivity_VE_8048_n1_0AXxrwnoISedL4TX?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.75,BAD_STATUS_NXDOMAIN,1
53642,2021-05-19 05:54:51+00:00,VE,8048,201.249.172.75,8048,quelacreo.com,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20210519T090056Z_webconnectivity_VE_8048_n1_0AXxrwnoISedL4TX?input=http%3A%2F%2Fquelacreo.com%2F,201.249.172.75,BAD_STATUS_NXDOMAIN,1


In [48]:
top_domains = obs.groupby(by='domain')['has_interference'].sum().sort_values(ascending=False)
top_ases = obs.value_counts(subset='client_asn')
top_statuses = obs.value_counts(subset='status')
top_evals = obs.value_counts(subset='eval')

display_columns = []
for d in [top_domains[:30], top_ases, top_statuses, top_evals]:
    w = widgets.Output(layout=widgets.Layout(margin='10px'))
    w.append_display_data(d)
    display_columns.append(w)
widgets.HBox(display_columns, layout=widgets.Layout(background='black'))

HBox(children=(Output(layout=Layout(margin='10px'), outputs=({'output_type': 'display_data', 'data': {'text/pl…

In [10]:
pivot = pd.pivot_table(obs, index=['domain'], columns=['client_asn', 'eval'], values=[], aggfunc=len, fill_value=0)
# pivot = pivot.reindex(top_sites.index).sort_index(axis='columns', level=1, ascending=False, key=lambda l: top_statuses[l])[top_ases.index]
pivot = pivot.reindex(top_domains.index).reindex(pd.MultiIndex.from_product([top_ases.index, top_evals.index]), axis='columns', fill_value=0)
with pd.option_context('display.max_rows', 150, 'display.max_columns', 24):
    display(pivot.iloc[:100, :24])

client_asn,21826,21826,21826,21826,21826,21826,21826,21826,8048,8048,8048,8048,8048,8048,8048,8048,6306,6306,6306,6306,6306,6306,6306,6306
eval,OK_MATCHES_CONTROL,INCONCLUSIVE_CHECK_IPS,OK_MATCHES_CONTROL_ERROR,INCONCLUSIVE_BAD_CONTROL,BAD_STATUS_generic_timeout_error,BAD_STATUS_SERVFAIL,BAD_STATUS_NXDOMAIN,BAD_NON_GLOBAL_IP,OK_MATCHES_CONTROL,INCONCLUSIVE_CHECK_IPS,OK_MATCHES_CONTROL_ERROR,INCONCLUSIVE_BAD_CONTROL,BAD_STATUS_generic_timeout_error,BAD_STATUS_SERVFAIL,BAD_STATUS_NXDOMAIN,BAD_NON_GLOBAL_IP,OK_MATCHES_CONTROL,INCONCLUSIVE_CHECK_IPS,OK_MATCHES_CONTROL_ERROR,INCONCLUSIVE_BAD_CONTROL,BAD_STATUS_generic_timeout_error,BAD_STATUS_SERVFAIL,BAD_STATUS_NXDOMAIN,BAD_NON_GLOBAL_IP
domain,Unnamed: 1_level_2,Unnamed: 2_level_2,Unnamed: 3_level_2,Unnamed: 4_level_2,Unnamed: 5_level_2,Unnamed: 6_level_2,Unnamed: 7_level_2,Unnamed: 8_level_2,Unnamed: 9_level_2,Unnamed: 10_level_2,Unnamed: 11_level_2,Unnamed: 12_level_2,Unnamed: 13_level_2,Unnamed: 14_level_2,Unnamed: 15_level_2,Unnamed: 16_level_2,Unnamed: 17_level_2,Unnamed: 18_level_2,Unnamed: 19_level_2,Unnamed: 20_level_2,Unnamed: 21_level_2,Unnamed: 22_level_2,Unnamed: 23_level_2,Unnamed: 24_level_2
moqavemat.ir,0,0,10,0,42,0,0,0,0,0,4,0,30,0,0,0,0,0,0,0,12,0,0,0
psiphon.ca,12,12,0,0,0,0,0,14,0,0,0,0,6,30,0,0,0,0,0,0,0,0,12,0
www.coinbase.com,12,12,0,0,0,0,0,14,0,0,0,0,4,30,2,0,0,0,0,0,0,0,12,0
occupystreams.org,13,0,0,0,0,26,0,0,1,0,0,0,8,26,0,0,2,0,0,0,0,8,0,0
www.tunnelbear.com,12,0,0,0,0,0,0,14,0,0,0,0,6,30,0,0,0,0,0,0,0,0,12,0
www.wikispaces.com,0,10,0,0,0,0,32,0,0,11,0,0,0,0,12,0,0,0,0,0,0,0,12,0
www.teenhealthfx.com,26,0,0,0,0,0,0,0,0,0,0,0,34,0,0,0,0,0,0,0,12,0,0,0
www.tripod.lycos.com,26,0,0,0,0,0,0,0,5,0,0,0,6,18,0,0,6,0,0,0,0,0,0,0
pastebin.com,26,26,0,0,0,0,0,0,17,17,0,0,0,0,0,0,6,6,0,0,0,0,0,0
anonymouse.org,25,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0


In [12]:
with pd.option_context('display.max_colwidth', 300, 'display.max_rows', 100):
    display(obs[obs['domain'] == 'www.tunnelbear.com'].drop(columns=['domain']).sort_values(by=['client_asn', 'resolver_asn', 'resolver_ip', 'time']))

Unnamed: 0,time,client_country,client_asn,resolver_ip,resolver_asn,query_type,failure,status,answers,explorer_url,eval,has_interference
92815,2020-11-23 06:41:08+00:00,VE,6306,186.24.222.204,6306,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201123T050108Z_webconnectivity_VE_6306_n1_tgVTgtl111Pyhuz5?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
92816,2020-11-23 06:41:08+00:00,VE,6306,186.24.222.204,6306,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201123T050108Z_webconnectivity_VE_6306_n1_tgVTgtl111Pyhuz5?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
48063,2020-11-20 06:33:11+00:00,VE,6306,186.166.131.54,6306,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201120T050056Z_webconnectivity_VE_6306_n1_SumX5KILeq1HhyUw?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
48062,2020-11-20 06:33:11+00:00,VE,6306,186.166.131.54,6306,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201120T050056Z_webconnectivity_VE_6306_n1_SumX5KILeq1HhyUw?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
99492,2020-11-24 06:34:28+00:00,VE,6306,186.166.131.54,6306,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201124T050507Z_webconnectivity_VE_6306_n1_WELrcTk7RyiN6LAj?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
99493,2020-11-24 06:34:28+00:00,VE,6306,186.166.131.54,6306,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201124T050507Z_webconnectivity_VE_6306_n1_WELrcTk7RyiN6LAj?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
8226,2020-11-21 05:48:48+00:00,VE,6306,186.166.131.55,6306,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201121T050305Z_webconnectivity_VE_6306_n1_H8jLO6sjqROtdezE?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
8227,2020-11-21 05:48:48+00:00,VE,6306,186.166.131.55,6306,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201121T050305Z_webconnectivity_VE_6306_n1_H8jLO6sjqROtdezE?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
16723,2020-11-19 05:24:28+00:00,VE,6306,186.166.131.56,6306,A,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201119T050305Z_webconnectivity_VE_6306_n1_mPnQ2fz5N6JMQ6Mo?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1
16724,2020-11-19 05:24:28+00:00,VE,6306,186.166.131.56,6306,AAAA,dns_nxdomain_error,NXDOMAIN,,https://explorer.ooni.org/measurement/20201119T050305Z_webconnectivity_VE_6306_n1_mPnQ2fz5N6JMQ6Mo?input=https%3A%2F%2Fwww.tunnelbear.com%2F,BAD_STATUS_NXDOMAIN,1


In [59]:
!dig @200.35.192.12 torproject.org


; <<>> DiG 9.10.6 <<>> @200.35.192.12 torproject.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50158
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;torproject.org.			IN	A

;; AUTHORITY SECTION:
torproject.org.		43963	IN	NS	nsp.dnsnode.net.
torproject.org.		43963	IN	NS	ns1.torproject.org.
torproject.org.		43963	IN	NS	ns3.torproject.org.
torproject.org.		43963	IN	NS	ns4.torproject.org.
torproject.org.		43963	IN	NS	ns5.torproject.org.

;; Query time: 63 msec
;; SERVER: 200.35.192.12#53(200.35.192.12)
;; WHEN: Fri Nov 20 12:34:30 EST 2020
;; MSG SIZE  rcvd: 144



In [24]:
obs[['client_asn', 'resolver_asn', 'resolver_ip']].value_counts()

client_asn  resolver_asn  resolver_ip    
22313       22313         200.35.192.12      3878
21826       15169         172.253.242.44     3827
8048        8048          201.249.172.71     3641
                          201.249.172.74     1991
                          201.249.172.72     1984
                          201.249.172.77     1962
                          201.249.172.70     1942
6306        6306          186.166.131.56     1942
8048        8048          201.249.215.7      1925
                          201.249.215.6      1922
21826       15169         172.253.242.41     1921
                          74.125.184.10      1919
                          172.253.7.65       1917
                          74.125.75.72       1915
                          74.125.77.75       1914
                          172.253.7.68       1913
                          172.253.7.13       1913
                          74.125.78.130      1913
                          172.253.242.105    1912
        

In [102]:
obs[['client_asn', 'resolver_asn', 'eval']].value_counts()

client_asn  resolver_asn  eval                  
12880       0             OK_MATCHES_CONTROL        2640
50810       0             OK_MATCHES_CONTROL        2497
197207      20473         OK_MATCHES_CONTROL        1183
50810       0             INCONCLUSIVE_CHECK_IPS     492
12880       0             INCONCLUSIVE_CHECK_IPS     415
                                                    ... 
50810       58224         BAD_NON_GLOBAL_IP            1
197207      12440         BAD_NON_GLOBAL_IP            1
49100       49100         BAD_NON_GLOBAL_IP            1
197207      42            INCONCLUSIVE_CHECK_IPS       1
56402       56402         BAD_NON_GLOBAL_IP            1
Length: 111, dtype: int64

In [352]:
!dig @201.249.172.77 eldolarparalelo.info


; <<>> DiG 9.10.6 <<>> @201.249.172.77 eldolarparalelo.info
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57965
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;eldolarparalelo.info.		IN	A

;; Query time: 277 msec
;; SERVER: 201.249.172.77#53(201.249.172.77)
;; WHEN: Sat Nov 14 02:29:30 EST 2020
;; MSG SIZE  rcvd: 49



In [353]:
!dig @201.249.172.77 example.com


; <<>> DiG 9.10.6 <<>> @201.249.172.77 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 50572
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.			IN	A

;; Query time: 72 msec
;; SERVER: 201.249.172.77#53(201.249.172.77)
;; WHEN: Sat Nov 14 02:29:44 EST 2020
;; MSG SIZE  rcvd: 40



In [112]:
obs[obs['domain'] == 'getoutline.org']

Unnamed: 0,time,client_country,client_asn,resolver_ip,resolver_asn,domain,query_type,failure,status,answers,explorer_url,eval,has_interference
6422,2020-11-14 11:30:52+00:00,IR,12880,2.188.21.2,0,getoutline.org,A,,OK,"([], [216.239.34.21, 216.239.32.21, 216.239.36...",https://explorer.ooni.org/measurement/20201114...,OK_MATCHES_CONTROL,0
6423,2020-11-14 11:30:47+00:00,IR,12880,2.188.21.2,0,getoutline.org,A,,OK,"([], [216.239.34.21, 216.239.38.21, 216.239.36...",https://explorer.ooni.org/measurement/20201114...,OK_MATCHES_CONTROL,0
7433,2020-11-13 09:32:11+00:00,IR,44244,127.0.0.2,44244,getoutline.org,AAAA,,OK,"([], [2001:4860:4802:32::15, 2001:4860:4802:36...",https://explorer.ooni.org/measurement/20201113...,INCONCLUSIVE_CHECK_IPS,0
7432,2020-11-13 09:32:11+00:00,IR,44244,127.0.0.2,44244,getoutline.org,A,,OK,"([], [216.239.34.21, 216.239.36.21, 216.239.32...",https://explorer.ooni.org/measurement/20201113...,OK_MATCHES_CONTROL,0
7844,2020-11-13 02:25:20+00:00,IR,197207,127.0.0.2,20473,getoutline.org,A,,OK,"([], [216.239.34.21, 216.239.36.21, 216.239.32...",https://explorer.ooni.org/measurement/20201113...,OK_MATCHES_CONTROL,0
4302,2020-11-09 12:16:18+00:00,IR,43754,127.0.0.2,43754,getoutline.org,AAAA,,OK,"([], [2001:4860:4802:36::15, 2001:4860:4802:34...",https://explorer.ooni.org/measurement/20201109...,INCONCLUSIVE_CHECK_IPS,0
4301,2020-11-09 12:16:18+00:00,IR,43754,127.0.0.2,43754,getoutline.org,A,,OK,"([], [216.239.36.21, 216.239.34.21, 216.239.38...",https://explorer.ooni.org/measurement/20201109...,OK_MATCHES_CONTROL,0
4128,2020-11-09 01:55:38+00:00,IR,50810,185.5.159.143,0,getoutline.org,A,,OK,"([], [216.239.36.21, 216.239.32.21, 216.239.34...",https://explorer.ooni.org/measurement/20201108...,OK_MATCHES_CONTROL,0
1620,2020-11-08 22:39:20+00:00,IR,50810,172.253.215.13,0,getoutline.org,A,,OK,"([], [216.239.38.21, 216.239.32.21, 216.239.34...",https://explorer.ooni.org/measurement/20201108...,OK_MATCHES_CONTROL,0
1563,2020-11-08 22:39:15+00:00,IR,50810,172.253.215.13,0,getoutline.org,A,,OK,"([], [216.239.38.21, 216.239.34.21, 216.239.36...",https://explorer.ooni.org/measurement/20201108...,OK_MATCHES_CONTROL,0


In [107]:
list(obs[obs['domain'] == 'occupystreams.org'].explorer_url)

['https://explorer.ooni.org/measurement/20201115T194951Z_webconnectivity_IR_12880_n1_xqETuH8J04j66IzK?input=http%3A%2F%2Foccupystreams.org%2F',
 'https://explorer.ooni.org/measurement/20201114T193120Z_webconnectivity_IR_12880_n1_hxvro3KVFCFikwh9?input=http%3A%2F%2Foccupystreams.org%2F',
 'https://explorer.ooni.org/measurement/20201114T101626Z_webconnectivity_IR_12880_n1_BCz7kLvLynnn3x7L?input=http%3A%2F%2Foccupystreams.org%2F',
 'https://explorer.ooni.org/measurement/20201113T002153Z_webconnectivity_IR_197207_n1_DVKMi6cXW1JLoyo4?input=http%3A%2F%2Foccupystreams.org%2F',
 'https://explorer.ooni.org/measurement/20201111T195820Z_webconnectivity_IR_12880_n1_4O9jjJ2y5IBuTs4B?input=http%3A%2F%2Foccupystreams.org%2F',
 'https://explorer.ooni.org/measurement/20201108T214526Z_webconnectivity_IR_50810_n1_DJlMYn9WesLpsi6x?input=http%3A%2F%2Foccupystreams.org%2F',
 'https://explorer.ooni.org/measurement/20201108T214221Z_webconnectivity_IR_50810_n1_7eoPoM8KU2SCgFLO?input=http%3A%2F%2Foccupystreams.

In [106]:
for asn, asn_df in obs.groupby(by='client_asn'):
    print(f'======= AS{asn} ======')
    for result, result_df in asn_df.groupby(by='eval'):
        print(f'----- {result} ------')
        with pd.option_context('display.min_rows', 50):
            display(result_df['domain'].value_counts())
        print()
    print()
    

----- BAD_NON_GLOBAL_IP ------


twitter.com                     8
beeg.com                        5
ultrasurf.us                    4
bridges.torproject.org          4
adultfriendfinder.com           4
anon.inf.tu-dresden.de          4
freenetproject.org              4
myspace.com                     4
ooni.torproject.org             3
www.bbc.com                     3
openvpn.net                     3
blogspot.com                    3
proxy.org                       2
thepiratebay.se                 2
strongvpn.com                   2
psiphon.ca                      2
dentist.blogspot.com            2
plus.google.com                 2
metasploit.com                  2
lgbt.foundation                 2
trashy.com                      2
download.cnet.com               2
www.xroxy.com                   2
proxify.com                     2
spys.ru                         2
                               ..
www.anonymizer.com              1
dooush.blogspot.com             1
bit.ly                          1
nesvan1.wordpr


----- BAD_STATUS_NXDOMAIN ------


www.meaphone.com    1
Name: domain, dtype: int64


----- BAD_STATUS_SERVFAIL ------


occupystreams.org               4
golang.org                      1
peacefire.org                   1
mail.yandex.ru                  1
www.alnadwah.com.sa             1
mashable.com                    1
iarf.net                        1
hrlibrary.umn.edu               1
homayounshajarian.blogfa.com    1
guardianproject.info            1
pingomatic.com                  1
goaskalice.columbia.edu         1
jainworld.com                   1
www.tudehpartyiran.org          1
www.rahesabz.net                1
iwhc.org                        1
peta.xxx                        1
iyfnet.org                      1
cyber.harvard.edu               1
guardster.com                   1
krishna.com                     1
godhatesfags.com                1
www.radioazadi.org              1
metasploit.com                  1
cryptome.org                    1
www.femirani.com                1
www.nscash.com                  1
ikhwanonline.com                1
myspace.com                     1
lgbt.foundatio


----- INCONCLUSIVE_BAD_CONTROL ------


abaspor.ir    1
deoxy.org     1
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


www.google.com                 33
gmail.com                       6
a1408.g.akamai.net              5
news.google.com                 5
friends.walla.co.il             5
docs.google.com                 5
encrypted.google.com            5
groups.google.com               5
company.wizards.com             4
imesh.com                       4
sites.google.com                4
online.wsj.com                  4
video.google.com                4
translate.google.com            4
www.instagram.com               4
www.absolut.com                 4
www.state.gov                   4
gawker.com                      4
timesofindia.indiatimes.com     4
bintray.com                     4
picasa.google.com               4
groups.yahoo.com                3
www.facebook.com                3
www.163.com                     3
www.xbox.com                    3
                               ..
www.arablounge.com              1
ehsanameh.blogspot.com          1
www.nato.int                    1
www.majidzohar


----- OK_MATCHES_CONTROL ------


addons.mozilla.org             12
archive.org                    11
emchurch.org                    9
autistici.org                   8
imp.free.fr                     8
infidels.org                    8
mixi.jp                         8
sourceforge.net                 8
kidshealth.org                  7
fsrn.org                        7
btguard.com                     7
exitinternational.net           7
bisexual.org                    7
globalvoices.org                7
beyondexgay.com                 7
jezebel.com                     7
hackers.com                     6
amphetamines.com                6
noblogs.org                     6
cdt.org                         6
www.pinknews.co.uk              6
slashdot.org                    6
2600.org                        6
bebo.com                        6
anonnews.org                    6
                               ..
www.hustler.com                 1
www.exgay.com                   1
www.ifge.org                    1
redrose1355.pe


----- OK_MATCHES_CONTROL_ERROR ------


delicious.com                      4
crackspider.net                    4
marijuana.nl                       4
moqavemat.ir                       4
debate.org.uk                      4
sci-hub.ac                         4
warc.jalb.de                       3
webmail.sso.bluewin.ch             3
voice.yahoo.jajah.com              3
deoxy.org                          3
shareaza.com                       3
blog.hasanagha.net                 2
www.belmont.ag                     2
www.bearshare.com                  2
jeddahnews.org                     2
bestupdateserver2.com              2
www.blacksandjews.com              2
instagram.fhen1-1.fna.fbcdn.net    2
www.irajnadimi.ir                  1
rahmandoost.ir                     1
www.oursouthazerbaijan.com         1
www.1doost.com                     1
www.niazazari.com                  1
www.cutegirlfriend.net             1
islamabadtimes.ir                  1
                                  ..
www.abbas-rajaei.ir                1
w



----- BAD_NON_GLOBAL_IP ------


www.copticchurch.net         1
hivsti.com                   1
www.xvideos.com              1
vimeo.com                    1
justicewomen.com             1
www.taghato.net              1
iran-safe.cf                 1
www.al-jazirah.com           1
getintra.org                 1
www.1800respect.org.au       1
www.americannaziparty.com    1
www.queerty.com              1
www.4shared.com              1
docs.google.com              1
dmnazarimehr.blogfa.com      1
www.magicjack.com            1
Name: domain, dtype: int64


----- BAD_STATUS_NXDOMAIN ------


sex021.net    2
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


www.copticchurch.net         1
www.taghato.net              1
secure.logmein.com           1
www.americannaziparty.com    1
www.projectbaseline.com      1
docs.google.com              1
sex021.net                   1
www.ushmm.org                1
www.shazam.com               1
www.1800respect.org.au       1
www.nytimes.com              1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


www.iranserver.com           1
www.clintonfoundation.org    1
networkdon.com               1
lauraannjacobs.com           1
sex021.net                   1
www.homa.org                 1
equal-eyes.org               1
Name: domain, dtype: int64



----- INCONCLUSIVE_BAD_CONTROL ------


maxelerator.ir    2
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


swi.ir              1
www.darkveb.com     1
emeil.ir            1
ifacetimeapp.com    1
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


www.hotspotshield.com    1
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


xe.com             1
www.thestar.com    1
www.mozilla.org    1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


telecloob.ir          1
www.mozilla.org       1
www.weforum.org       1
www.icrw.org          1
www.roxypalace.com    1
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


www.facebook.com    1
Name: domain, dtype: int64


----- BAD_STATUS_NXDOMAIN ------


www.uscg.mil    2
Name: domain, dtype: int64


----- BAD_STATUS_dns_resolver_error ------


metasploit.com     1
www.youtube.com    1
Name: domain, dtype: int64


----- INCONCLUSIVE_BAD_CONTROL ------


xxxx.vibwo       1
www.eelam.com    1
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


www.nifty.org              1
www.unwomen.org            1
www.heritage.org           1
unpo.org                   1
www.spotify.com            1
www.episcopalrelief.org    1
getoutline.org             1
www.emruznews.com          1
anfpersian.com             1
www.wnd.com                1
www.persecution.org        1
deoxy.org                  1
webramz.com                1
www.kir2kos.net            1
www.enom.com               1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


www.talafone.com             1
www.magicjack.com            1
www.collegehumor.com         1
happiex.com                  1
imp.free.fr                  1
www.netzoola.com             1
www.chess.com                1
www.implantinfo.com          1
www.hrcr.org                 1
khabarcanada.ca              1
www.emruznews.com            1
codal.ir                     1
www.2zaar.net                1
www.bitfinex.com             1
www.heritage.org             1
www.actionaid.org            1
www.runescape.com            1
mahshar.com                  1
www.realbeer.com             1
www.birthcontrol.com         1
www.un.int                   1
getoutline.org               1
www.interactworldwide.org    1
webramz.com                  1
www.out.com                  1
www.persecution.org          1
www.episcopalrelief.org      1
www.spotify.com              1
unpo.org                     1
www.connotea.org             1
www.opec.org                 1
www.unwomen.org              1
www.enom


----- OK_MATCHES_CONTROL_ERROR ------


www.eln-voces.com    2
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


anon.inf.tu-dresden.de             2
news.gooya.com                     1
shahvani.com                       1
happiex.com                        1
www.literotica.com                 1
beeg.com                           1
ilkeicgiyim.com                    1
www.nsa.gov                        1
www.akhbar-rooz.com                1
russia.tv                          1
www.cpj.org                        1
www.darknet.org.uk                 1
blogspot.com                       1
www.pornhub.com                    1
www.mojahedin.org                  1
www.netflix.com                    1
iranmatlab.ir                      1
adultfriendfinder.com              1
bridges.torproject.org             1
ifacetimeapp.com                   1
www.http-tunnel.com                1
www.rahesabz.net                   1
www.voisfarsi.com                  1
www.macfound.org                   1
www.bbc.com                        1
www.searchindia.com                1
www.chekhabar.com                  1
f


----- INCONCLUSIVE_BAD_CONTROL ------


imesh.com         2
maxelerator.ir    2
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


company.wizards.com               5
www.navy.mil                      2
jainworld.com                     1
a1408.g.akamai.net                1
wikihow.com                       1
www.ask.com                       1
www.yola.com                      1
teenadvice.about.com              1
caffecinema.com                   1
care.org                          1
xda-developers.com                1
de.lirio.us                       1
www.ft.com                        1
www.nsa.gov                       1
defcon.org                        1
gorgij.net                        1
www.ecequality.org                1
www.searchindia.com               1
www.whatsapp.com                  1
www.macfound.org                  1
www.last.fm                       1
www.http-tunnel.com               1
allout.org                        1
getoutline.org                    1
iran.outrightinternational.org    1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


www.alwakad.net                    3
archive.org                        2
www.paltalk.com                    2
care.org                           2
addons.mozilla.org                 2
earth-liberation-front.org         2
defcon.org                         2
www.tabnak.ir                      2
ccc.de                             2
ipi.media                          1
abpr2.railfan.net                  1
citizenlab.ca                      1
anonym.to                          1
666games.net                       1
cdt.org                            1
www.idsoftware.com                 1
secure.hi5.com                     1
caffecinema.com                    1
chinadaily.com.cn                  1
adium.im                           1
www.netaddress.com                 1
gadgetnews.net                     1
jezebel.com                        1
www.exploit-db.com                 1
bebo.com                           1
                                  ..
anonnews.org                       1
b


----- OK_MATCHES_CONTROL_ERROR ------


delicious.com      1
debate.org.uk      1
crackspider.net    1
deoxy.org          1
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


www.blogger.com    1
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


www.last.fm         1
www.getdrupe.com    1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


www.dd-sunnah.net          1
www.clubdicecasino.com     1
www.inminds.co.uk          1
www.backtrack-linux.org    1
hamijoo.com                1
www.prophetofdoom.net      1
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


www.securityinabox.org      2
www.xroxy.com               2
www.pokerstars.com          2
www.facebook.com            2
www.sexandu.ca              2
www.darknet.org.uk          1
www.meetme.com              1
strongvpn.com               1
thepiratebay.se             1
www.victoriassecret.com     1
www.queerty.com             1
hornet.com                  1
www.marxists.org            1
www.gay.com                 1
www.anonymizer.com          1
lgbt.foundation             1
www.usaid.gov               1
secondlife.com              1
www.netflix.com             1
black.riseup.net            1
www.binance.com             1
www.ipetitions.com          1
www.tunnelbear.com          1
www.maven.co.il             1
www.4shared.com             1
                           ..
ooni.torproject.org         1
secure.proxpn.com           1
hitwe.com                   1
www.dailymotion.com         1
www.veoh.com                1
www.venus.com               1
www.iranhumanrights.org     1
www.youpor


----- BAD_STATUS_NXDOMAIN ------


www.army.mil    2
Name: domain, dtype: int64


----- BAD_STATUS_SERVFAIL ------


noblogs.org           2
bebo.com              2
autistici.org         2
www.hotmail.com       1
occupystreams.org     1
www.getoutline.org    1
www.rfa.org           1
beyondexgay.com       1
avaaz.org             1
bisexual.org          1
beeg.com              1
Name: domain, dtype: int64


----- BAD_STATUS_deferred_timeout_error ------


moqavemat.ir    1
Name: domain, dtype: int64


----- INCONCLUSIVE_BAD_CONTROL ------


marijuana.nl      1
www.belmont.ag    1
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


www.google.com                     29
www.who.int                         8
www.bbc.com                         7
www.state.gov                       6
www.xbox.com                        5
www.bacardi.com                     5
www.facebook.com                    5
www.viber.com                       5
www.eveonline.com                   4
www.newnownext.com                  4
www.epa.gov                         4
www.cdc.gov                         3
www.army.mil                        3
www.ea.com                          3
www.nsa.gov                         3
www.rackspace.com                   3
news.google.com                     3
tinder.com                          3
encrypted.google.com                3
secure.logmein.com                  3
www.amazon.com                      3
www.walmart.com                     3
video.google.com                    3
mashable.com                        3
messages.android.com                3
                                   ..
observers.fr


----- OK_MATCHES_CONTROL ------


twitter.com                 9
addons.mozilla.org          6
sourceforge.net             6
www.un.org                  6
www.backtrack-linux.org     5
ultrasurf.us                5
www.linkedin.com            5
www.worldwildlife.org       5
www.advocate.com            5
archive.org                 5
www.worldrtd.net            5
www.netaddress.com          5
secure.friendfinder.com     4
secure.flickr.com           4
dns.quad9.net               4
www.geocities.com           4
t.co                        4
www.wordreference.com       4
www.tialsoft.com            4
dns.google.com              4
www.ectaco.com              4
wikidata.org                4
www.gnu.org                 4
www.well.com                4
cdt.org                     4
                           ..
www.getmdl.io               1
www.emruznews.com           1
www.derafsh-kaviyani.com    1
ladysun.net                 1
occupystreams.org           1
www.sologen.net             1
www.freewebs.com            1
partotarvi


----- OK_MATCHES_CONTROL_ERROR ------


www.eelam.com                   3
sci-hub.ac                      3
shareaza.com                    2
webmail.sso.bluewin.ch          2
www.bearshare.com               2
voice.yahoo.jajah.com           2
crackspider.net                 2
www.hitler.org                  2
www.eln-voces.com               2
www.videogamereview.com         2
www.latinmail.com               2
delicious.com                   2
www.malware.com                 2
debate.org.uk                   2
www.layevangelism.com           2
warc.jalb.de                    2
www.pgp.com                     2
www.wallpapergate.com           2
deoxy.org                       2
jeddahnews.org                  2
www.blacksandjews.com           2
www.jebhemelli.org              1
mohammaddamadi.ir               1
www.oursouthazerbaijan.com      1
www.cutegirlfriend.net          1
hasanagha.net                   1
sufront.org                     1
www.ecoworld-mag.com            1
www.footballiran.ir             1
memarinews.com



----- INCONCLUSIVE_CHECK_IPS ------


www.sina.com.cn     1
www.honduras.com    1
www.apple.com       1
arcgis.com          1
www.umc.org         1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


www.slideshare.net         1
xanga.com                  1
archiveofourown.org        1
www.kmmk.info              1
www.mahtaa.com             1
www.iransocialforum.org    1
webramz.com                1
www.igap.net               1
www.kurdishworld.com       1
www.umc.org                1
www.feminist.com           1
parsijoo.ir                1
codal.ir                   1
rahmatnorozi.com           1
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


finasterideblog.com    1
Name: domain, dtype: int64


----- BAD_STATUS_NXDOMAIN ------


de.lirio.us    2
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


www.playmapscube.com    1
docs.google.com         1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


www.stopstreetharassment.org    1
pentestcore.com                 1
www.shoe.org                    1
www.sexualhealth.com            1
uk.match.com                    1
www.wadod.net                   1
www.hotbot.com                  1
caffecinema.com                 1
parsiblog.com                   1
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


clipseksi.com      1
www.queerty.com    1
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


picasa.google.com          2
www.glsen.org              1
www.theglobeandmail.com    1
www.telewebion.com         1
www.aidsonline.com         1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


www.uplooder.net       1
www.asstr.org          1
hafezoon.net           1
www.maven.co.il        1
www.aidsonline.com     1
photodune.net          1
www.100webspace.com    1
www.sahamnews.net      1
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


www.sbs.com.au                 1
www.vice.com                   1
www.ndi.org                    1
tableaumag.com                 1
www.daadkhast.org              1
subscene.com                   1
www.betfair.com                1
www.marxists.org               1
alirezarezaee1.blogspot.com    1
worldofwarcraft.com            1
soundcloud.com                 1
www.hotspotshield.com          1
threema.ch                     1
Name: domain, dtype: int64


----- BAD_STATUS_NXDOMAIN ------


www.daadkhast.org    2
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


complex-life.blog.ir                   2
youtube.com                            2
go.microsoft.com                       2
savefrom.net                           1
cdn.ampproject.org                     1
download.visualstudio.microsoft.com    1
www.mailinator.com                     1
marketplace.visualstudio.com           1
translate.reference.com                1
ms.gallerycdn.vsassets.io              1
www.survive.org.uk                     1
www.eurogrand.com                      1
anonymizer.secuser.com                 1
aawsat.com                             1
en.wikipedia.org                       1
www.theglobeandmail.com                1
www.imf.org                            1
mashable.com                           1
signal.org                             1
www.nytimes.com                        1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


api.ipify.org                          4
www.mailinator.com                     2
en.wikipedia.org                       2
emeil.ir                               2
drugs-forum.com                        1
bouncer.ooni.io                        1
abc.go.com                             1
www.blubster.com                       1
www.jesussaves.cc                      1
ms.gallerycdn.vsassets.io              1
ms-vscode.gallery.vsassets.io          1
bebo.com                               1
www.apt.ch                             1
hotgaylist.com                         1
ru.wikipedia.org                       1
www.freetranslation.com                1
parsget.com                            1
raw.githubusercontent.com              1
www.genderandaids.org                  1
www.haaretz.com                        1
www.teenhealthfx.com                   1
www.bicommunitynews.co.uk              1
www.mideastyouth.com                   1
www.sputniknews.cn                     1
www.iea.org     


----- OK_MATCHES_CONTROL_ERROR ------


mellifund.com    2
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


www.iranhumanrights.org    1
www.wzo.org.il             1
extratorrent.cc            1
lgbt.foundation            1
humanrightsiniran.com      1
www.amnesty.org            1
mastodon.social            1
minuf.co.il                1
enghelabe-eslami.com       1
Name: domain, dtype: int64


----- INCONCLUSIVE_BAD_CONTROL ------


www.infosalamat.com        6
www.gooya.com              2
imesh.com                  2
thepiratebay.se            2
use-application-dns.net    2
whoami.ds.akahelp.net      2
mitm.watch                 2
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


www.google.com                   6
www.who.int                      3
www.dailymail.co.uk              2
archive.is                       2
www.quora.com                    2
www.facebook.com                 2
www.dw.com                       2
www.eurogrand.com                2
www.nytimes.com                  2
www.economist.com                2
www.cdc.gov                      2
dictionary.reference.com         2
www.ebay.com                     2
www.bacardi.com                  2
www.viber.com                    2
www.xbox.com                     2
www.cnn.com                      2
online.wsj.com                   2
www.haaretz.com                  2
www.state.gov                    2
www.newnownext.com               2
www.dotster.com                  2
encrypted.google.com             1
www.godaddy.com                  1
www.lemonde.fr                   1
                                ..
www.privateinternetaccess.com    1
www.ucc.org                      1
sites.google.com    


----- OK_MATCHES_CONTROL ------


www.bbc.com                    5
twitter.com                    4
en.wikipedia.org               4
www.ohchr.org                  3
www.well.com                   3
www.brinkster.com              3
www.un.org                     3
www.bing.com                   3
www.systranbox.com             2
www.rollitup.org               2
sci-hub.se                     2
ebuddy.com                     2
www.xroxy.com                  2
dl.bintray.com                 2
www.anonymitychecker.com       2
www.accessnow.org              2
identi.ca                      2
massbrowser.cs.umass.edu       2
emchurch.org                   2
www.backtrack-linux.org        2
www.savethechildren.net        2
www.hrcr.org                   2
addons.mozilla.org             2
www.netaddress.com             2
archive.org                    2
                              ..
commons.wikimedia.org          1
www.talkyou.me                 1
www.binance.com                1
www.bbm.com                    1
www.acdi-c


----- OK_MATCHES_CONTROL_ERROR ------


www.wallpapergate.com      4
delicious.com              2
www.videogamereview.com    2
www.blacksandjews.com      2
www.malware.com            2
www.eelam.com              2
www.layevangelism.com      2
warc.jalb.de               2
webmail.sso.bluewin.ch     2
www.pgp.com                2
www.belmont.ag             2
deoxy.org                  2
www.latinmail.com          2
www.bearshare.com          2
voice.yahoo.jajah.com      2
debate.org.uk              2
marijuana.nl               2
shareaza.com               2
crackspider.net            2
sci-hub.tw                 2
www.hitler.org             2
www.eln-voces.com          2
moqavemat.ir               2
Name: domain, dtype: int64



----- BAD_NON_GLOBAL_IP ------


www.purevpn.com       1
www.sunni-news.net    1
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


www.rfa.org               2
translate.google.com      2
app.developer.here.com    1
www.kampain.info          1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


exscn.net                    1
www.change.org               1
www.judaismconversion.org    1
www.kampain.info             1
www.protest.net              1
Name: domain, dtype: int64



----- BAD_STATUS_NXDOMAIN ------


www.darpa.mil       2
www.hra-news.org    2
Name: domain, dtype: int64


----- INCONCLUSIVE_CHECK_IPS ------


europedatingonline.com    1
www.kampain.info          1
Name: domain, dtype: int64


----- OK_MATCHES_CONTROL ------


vimeo.com                 1
europedatingonline.com    1
www.anonymizer.ru         1
www.kampain.info          1
www.iran-e-azad.org       1
Name: domain, dtype: int64





In [134]:
od.resolve(domains, 'www.match.com')

DnsPath(cnames=[Domain('us-wac.match.com')], ips=[IPv4Address('208.83.242.49')])

In [19]:
socket.gethostbyname_ex('www.match.com')

('us-wac.match.com', ['www.match.com', 'us.match.com'], ['208.83.242.49'])

In [113]:
socket.gethostbyname_ex('no.match.cosm')

gaierror: [Errno 8] nodename nor servname provided, or not known

In [114]:
socket.gethostbyname_ex('occupystreams.org')

gaierror: [Errno 8] nodename nor servname provided, or not known

In [115]:
socket.getaddrinfo('occupystreams.org', 0, proto=socket.IPPROTO_TCP, flags=socket.AI_CANONNAME)

gaierror: [Errno 8] nodename nor servname provided, or not known

In [116]:
socket.getaddrinfo('invalid.example.com', 0, proto=socket.IPPROTO_TCP, flags=socket.AI_CANONNAME)

gaierror: [Errno 8] nodename nor servname provided, or not known

In [119]:
import dns.resolver

ModuleNotFoundError: No module named 'dns.resolver'; 'dns' is not a package

In [118]:
!pip install dnspython

Collecting dnspython
  Downloading dnspython-2.0.0-py3-none-any.whl (208 kB)
[K     |████████████████████████████████| 208 kB 3.8 MB/s 
[?25hInstalling collected packages: dnspython
Successfully installed dnspython-2.0.0
You should consider upgrading via the '/Users/fortuna/firehook/net-analysis/.venv/bin/python -m pip install --upgrade pip' command.[0m
