North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting))
In the case of the actual drones, I don't see why you'd need the PTR, although it helped me out before.I wouldn't collect the contents of an A record, if that's what you mean. I meant that it would be better to collect the IP of whoever is connected to the irc server directly, eliminating the entire, possibly misleading, step of DNS lookups. Faking that IP is more difficult.Agreed. I always store the original IP. If the PTR record matches with the A record (aka "paranoid DNS") then I additionally store the hostname from the A record, and permit the connection to go through. But no matter what, always store the original IP. It's just four more bytes (sixteen for IPng), and TCP is more difficult to spoof than DNS. In the case of C&C's.. PTR, A, etc. could be critical.
|