North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting))

  • From: Kevin
  • Date: Mon Feb 14 08:22:46 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=CqK5PXmqycBXoDT4DmxygWrs8McHQGB2iBc7YsM10TlzivCKElgIp1Pc3wahz9XTLElaar2a96N4Sl8+3BldDM9EgIsq4e6CBC+FEI9pjofMdYQGrPdeTVThIbByJJviRaYsbrbVMFvXG+yCTOKxaVzCuTKX9i/S/960eVpNayM=

On Mon, 14 Feb 2005 12:50:17 +0000, Ketil Froyn <kfroyn@gnr.com> wrote:
> On Mon, 2005-02-14 at 11:29 +0200, Gadi Evron wrote:
> > > Isn't it a good idea to collect the IP addresses rather than the ptr
> > > name? For instance, if I were an evil person in control of the ptr
> > > record of my own IP, I could easily make the name something like
> > > 1-2-3-4.dsl.verizon.net, and if you didn't collect my IP, you can never
> > > be sure you got the right details!
> >
> > You are right, people can change it to be whatever they like, potentially.
> >
> > What if they wanted to change the IP?
> >
> > Think about what you said, and you will see why you are wrong.
> 
> I wouldn't collect the contents of an A record, if that's what you mean.
> I meant that it would be better to collect the IP of whoever is
> connected to the irc server directly, eliminating the entire, possibly
> misleading, step of DNS lookups. Faking that IP is more difficult.

Agreed.

I always store the original IP.  If the PTR record matches with the A
record (aka "paranoid DNS") then I additionally store the hostname from
the A record, and permit the connection to go through.

But no matter what, always store the original IP.  It's just four more bytes
(sixteen for IPng), and TCP is more difficult to spoof than DNS.

Kevin Kadow