From owner-freebsd-net@freebsd.org Thu Mar 22 15:42:57 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 812C5F4FEC0 for ; Thu, 22 Mar 2018 15:42:57 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 2E0FF7BF0E for ; Thu, 22 Mar 2018 15:42:57 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) by kicp.uchicago.edu (Postfix) with ESMTP id 2180971805E; Thu, 22 Mar 2018 10:11:25 -0500 (CDT) Subject: Re: Same host or different? How can you tell "over the wire"? To: Alexandre Snarskii , "Ronald F. Guilmette" Cc: FreeBSD Net References: <4903.1521667183@segfault.tristatelogic.com> <20180322140233.GA79266@staff.retn.net> From: Valeri Galtsev Message-ID: <4ce048ad-873e-795e-aae0-8d795d9bb85c@kicp.uchicago.edu> Date: Thu, 22 Mar 2018 10:11:24 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180322140233.GA79266@staff.retn.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 15:42:57 -0000 On 03/22/18 09:02, Alexandre Snarskii wrote: > On Wed, Mar 21, 2018 at 02:19:43PM -0700, Ronald F. Guilmette wrote: > [...] >> P.S. It is my assumption that the kind of thing I'm looking for, if >> it exists at all, will be found somewhere below the application layer. >> I do not rule out however that there may be some way of differentiating >> the two cases described above by looking at application layer responses >> for some certain common applications. As far as I know however, it is >> not possible to make the desired differentiation on the basis of >> application layer responses for most typical network applications, >> e.g. various makes and model numbers of servers for HTTP, HTTPS, >> SMTP, SSH, DNS, etc. Of course, if I have simply missed something, >> and if there is in fact a way to differentiate the two cases on the >> basis of responses sent for any of these application protocols, then >> I sure would like to know about that too. > > DNS: if both A and A' running open recursive DNS servers (bad idea in > modern internet, but..) it's possible to use TTL field to differentiate. > Scenario: create some DNS record with good enough TTL of one hour. Ask A > about this record, get answer with TTL = 3600. Wait for ten seconds, then > ask A' about the same record. If received TTL is about 3590 - it's really > likely that A and A' is the same host. > If A and A' do resolve beyond their SOA for clients outside of their domain. That was vulnerable for abuse, and hardly anybody does that these days. Am I missing something? Valeri > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++