Collecting PTR names or IP addresses (Was: Re: IRC Bot list (crossposting))

Gadi Evron gadi at tehila.gov.il
Mon Feb 14 13:28:04 UTC 2005


>>I wouldn't collect the contents of an A record, if that's what you mean.
>>I meant that it would be better to collect the IP of whoever is
>>connected to the irc server directly, eliminating the entire, possibly
>>misleading, step of DNS lookups. Faking that IP is more difficult.
> 
> 
> Agreed.
> 
> I always store the original IP.  If the PTR record matches with the A
> record (aka "paranoid DNS") then I additionally store the hostname from
> the A record, and permit the connection to go through.
> 
> But no matter what, always store the original IP.  It's just four more bytes
> (sixteen for IPng), and TCP is more difficult to spoof than DNS.

In the case of the actual drones, I don't see why you'd need the PTR, 
although it helped me out before.

In the case of C&C's.. PTR, A, etc. could be critical.



More information about the NANOG mailing list