Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting))
Gadi Evron
gadi at tehila.gov.il
Mon Feb 14 13:28:04 UTC 2005
>>I wouldn't collect the contents of an A record, if that's what you mean.
>>I meant that it would be better to collect the IP of whoever is
>>connected to the irc server directly, eliminating the entire, possibly
>>misleading, step of DNS lookups. Faking that IP is more difficult.
>
>
> Agreed.
>
> I always store the original IP. If the PTR record matches with the A
> record (aka "paranoid DNS") then I additionally store the hostname from
> the A record, and permit the connection to go through.
>
> But no matter what, always store the original IP. It's just four more bytes
> (sixteen for IPng), and TCP is more difficult to spoof than DNS.
In the case of the actual drones, I don't see why you'd need the PTR,
although it helped me out before.
In the case of C&C's.. PTR, A, etc. could be critical.
More information about the NANOG
mailing list