North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting))

  • From: Gadi Evron
  • Date: Mon Feb 14 08:28:14 2005


I wouldn't collect the contents of an A record, if that's what you mean.
I meant that it would be better to collect the IP of whoever is
connected to the irc server directly, eliminating the entire, possibly
misleading, step of DNS lookups. Faking that IP is more difficult.
Agreed.

I always store the original IP.  If the PTR record matches with the A
record (aka "paranoid DNS") then I additionally store the hostname from
the A record, and permit the connection to go through.

But no matter what, always store the original IP.  It's just four more bytes
(sixteen for IPng), and TCP is more difficult to spoof than DNS.
In the case of the actual drones, I don't see why you'd need the PTR, although it helped me out before.

In the case of C&C's.. PTR, A, etc. could be critical.