Same host or different? How can you tell "over the wire"?
Valeri Galtsev
galtsev at kicp.uchicago.edu
Thu Mar 22 15:42:57 UTC 2018
On 03/22/18 09:02, Alexandre Snarskii wrote:
> On Wed, Mar 21, 2018 at 02:19:43PM -0700, Ronald F. Guilmette wrote:
> [...]
>> P.S. It is my assumption that the kind of thing I'm looking for, if
>> it exists at all, will be found somewhere below the application layer.
>> I do not rule out however that there may be some way of differentiating
>> the two cases described above by looking at application layer responses
>> for some certain common applications. As far as I know however, it is
>> not possible to make the desired differentiation on the basis of
>> application layer responses for most typical network applications,
>> e.g. various makes and model numbers of servers for HTTP, HTTPS,
>> SMTP, SSH, DNS, etc. Of course, if I have simply missed something,
>> and if there is in fact a way to differentiate the two cases on the
>> basis of responses sent for any of these application protocols, then
>> I sure would like to know about that too.
>
> DNS: if both A and A' running open recursive DNS servers (bad idea in
> modern internet, but..) it's possible to use TTL field to differentiate.
> Scenario: create some DNS record with good enough TTL of one hour. Ask A
> about this record, get answer with TTL = 3600. Wait for ten seconds, then
> ask A' about the same record. If received TTL is about 3590 - it's really
> likely that A and A' is the same host.
>
If A and A' do resolve beyond their SOA for clients outside of their
domain. That was vulnerable for abuse, and hardly anybody does that
these days. Am I missing something?
Valeri
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
More information about the freebsd-net
mailing list