[77906] in North American Network Operators' Group
Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list
daemon@ATHENA.MIT.EDU (Gadi Evron)
Mon Feb 14 08:27:13 2005
Date: Mon, 14 Feb 2005 15:28:04 +0200
From: Gadi Evron <gadi@tehila.gov.il>
To: Kevin <kkadow@gmail.com>
Cc: nanog@nanog.org
In-Reply-To: <dc718edc0502140521255908f4@mail.gmail.com>
Errors-To: owner-nanog-outgoing@merit.edu
>>I wouldn't collect the contents of an A record, if that's what you mean.
>>I meant that it would be better to collect the IP of whoever is
>>connected to the irc server directly, eliminating the entire, possibly
>>misleading, step of DNS lookups. Faking that IP is more difficult.
>
>
> Agreed.
>
> I always store the original IP. If the PTR record matches with the A
> record (aka "paranoid DNS") then I additionally store the hostname from
> the A record, and permit the connection to go through.
>
> But no matter what, always store the original IP. It's just four more bytes
> (sixteen for IPng), and TCP is more difficult to spoof than DNS.
In the case of the actual drones, I don't see why you'd need the PTR,
although it helped me out before.
In the case of C&C's.. PTR, A, etc. could be critical.
