top | item 17209205

(no title)

Lan | 7 years ago

Consider a scenario where you have a log file and in the log file is an IP address (172.217.5.14). You are not sure whose IP address it is. So you run the following commands:

# dig -x 172.217.5.14 +short

lga15s49-in-f14.1e100.net.

ord38s19-in-f14.1e100.net.

# dig lga15s49-in-f14.1e100.net. +short

172.217.5.14

# dig lga15s49-in-f14.1e100.net. +short

172.217.5.14

The first command (dig -x) checks the PTR record for the IP address 172.217.5.14. It returns two PTR records: lga15s49-in-f14.1e100.net. and ord38s19-in-f14.1e100.net.[0]. Those are subdomains of 1e100.net, which we know Google owns. However, you can set a PTR to pretty much whatever you want, so we now take an additional step as well. We run the dig command again to check the A records for the domains. This returns the same IP address we started with, which is good. Since Google controls the DNS for 1e100.net we can be reasonably sure that it is in fact a Google server. This is called Forward-confirmed reverse DNS (FCrDNS) and is one tool you can use to determine the ownership of an IP address. For example, it is frequently used as a weight in email spam filters. Although, because of the intricacies of email, in that case it is usually not used for identification and instead used as a general purpose check to determine whether a mail server is rogue or not, since spam servers very often do not have proper FCrDNS.

There are other tools to determine who owns an IP address, like whois, but in some instances one will garner useful information and the other will not. So it's nice to have both at your disposal.

[0] As a side note: the trailing . in those PTR records returned by dig is not a typo. All domains actually end in a dot, it's just usually implied.

discuss

chinathrow|7 years ago

> Those are subdomains of 1e100.net, which we know Google owns

Sorry but to the average user, the domain name 1e100.net doesn't ring a bell at all at this point. They would still have to look up the IP in ARIN/RIPE/etc to see that the IP range is effecively owned by a company called Google.

Do you really need a hostname at all? Wouldn't be the ARIN/RIPE/etc entry be sufficient to know who "owns" said IP address?

detaro|7 years ago

Google owns IPs that aren't used by Google services (e.g. all the customer IPs on GCE), it's useful to distinguish "Google" vs "hosted by Google".

yjftsjthsd-h|7 years ago

See, I probably would have reached for whois before dig. Partially because reverse DNS seems less likely to be populated with useful info, in my limited experience.

walrus01|7 years ago

rDNS can be populated with a great deal of useful information, if you are trying to diagnose an asymmetric routing issue between two internet service providers. Particularly if both of them have had the forethought to give reasonable, understandable, hierarchical names to their globally distributed POPs. Other things like "ae" that show up in a traceroute can be indications of an 802.3ad aggregated link, which juniper calls an Aggregated Ethernet. Same as interface abbreviations for Cisco and juniper you will find like "hu", "te", "xe", etc.

One example: say you have a $200/mo dedicated server customer, as an ISP, you're giving them a /29 of public IP space. That /29 exists as a vlan subinterface of one of your juniper routers and is trunked across the datacenter through various switches to the server. Let's say it's vlan 2659. Somewhere in the public rDNS for the default gateway IP of that /29, you would have the string "vl2659”.