From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] display rDNS and GeoIP information for used nameservers
Date: Tue, 07 Nov 2017 23:03:36 +0000
Message-ID: <1510095816.2768.16.camel@ipfire.org>
In-Reply-To: <20171107202503.53c0ce8c.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3271521874721952860=="
List-Id: <development.lists.ipfire.org>

--===============3271521874721952860==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Tue, 2017-11-07 at 20:25 +0100, Peter M=C3=BCller wrote:
> Hello Michael,
>=20
> > Hi,
> >=20
> > this quite a nice idea, but I have one small problem here which I think c=
ould
> > potentially confuse the users more than it helps.
> >=20
> > And that is anycast DNS servers.
>=20
> Oh, yes. *sigh*
> >=20
> > So for example for the famous Google DNS 8.8.8.8 the GeoIP location would=
 be US
> > which technically is correct, but I know for a fact that I am using an in=
stance
> > that is located in the Telehouse which just a few miles away from me and =
not on
> > the other side of the big pond.
> >=20
> > So can we do anything to make this better and should we?
>=20
> The answer is simple and gives absolutely no satisfaction: No, we can't.
>=20
> The (free) GeoIP database IPFire uses is somewhat ugly when it comes to any=
cast
> networks, or even the networks of big DSL companies (see below): By looking=
 at
> the output of "geoiplookup [anycast IP]", there is no chance to see that so=
mething
> is wrong.
>=20
> Further, there are two problems with these networks:
> (a) Only the company operating an anycast system knows where a certain IP is
> actually located - as far as I am concerned, there is no (reliable) way to =
guess
> this from outside. Some companies set informative PTR records such as "muc-=
x.y.z.anycast.company.com"
> [muc =3D Munich], but even that does not mean anything in technical terms.

Not even they know where you are being routed to in some cases.

> (b) There is a huge difference between the accuracy of multinational compan=
y's
> networks in the free and non-free edition of the GeoIP database. For exampl=
e, AOL
> also owns subnets for their customers in Brazil and other countries outside=
 US,
> but the free database returns "US" for any AOL network queried.
> Same goes for special categories such as "A1" (anonymous proxies): Even big=
 Tor
> nodes with static IPs or some huge VPN providers are mostly not listed ther=
e. :-|

Well, the accuracy isn't really there. There is no guarantee the
information is correct or precise and basically this is completely
messy.

There are other things like LOC records in DNS, but unfortunately
nobody seems to be using that.

There is an option c) Sometimes it says it in the whois, but that again
is not at all a reliable source of information.

> To sum it up: I am aware of these - let's say - inaccuracies. However, I th=
ink we
> need to stay consistent here: If we use GeoIP for firewall rules, which I c=
onsider
> a great feature, we should work with the same information that iptables pro=
cesses
> if a user queries an IP address.
>=20
> This is especially true for the connection tracking table (will send a work=
ing patch
> for this later on), but otherwise, debugging of GeoIP firewall rules become=
s very
> hard.

Very true.

> Just as a remark: It is interesting that the Cloudflare networks are not li=
sted in
> the GeoIP database anymore (perhaps because they are anycast, too). But acc=
ording
> to bug #11482, this is not a good idea.

I have heard bad things from them that they are not a very nice player.
It is rumored that they are a pain in the rear end...

-Michael

> Best regards,
> Peter M=C3=BCller
> >=20
> > -Michael
> >=20
> > On Mon, 2017-11-06 at 19:09 +0100, Peter M=C3=BCller wrote:
> > > Display rDNS/PTR record and GeoIP information for used nameservers
> > > on the netexternal.cgi WebUI page. These information might be useful
> > > for debugging.
> > >=20
> > > Thanks to Matthias Fischer for style improvements.
> > >=20
> > > Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> > > ---
> > >  html/cgi-bin/netexternal.cgi | 25 +++++++++++++++++++++++++
> > >  langs/de/cgi-bin/de.pl       |  1 +
> > >  langs/en/cgi-bin/en.pl       |  1 +
> > >  3 files changed, 27 insertions(+)
> > >=20
> > > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi
> > > index 299612d4c..cd2223ac6 100644
> > > --- a/html/cgi-bin/netexternal.cgi
> > > +++ b/html/cgi-bin/netexternal.cgi
> > > @@ -25,9 +25,13 @@ use strict;
> > >  #use warnings;
> > >  #use CGI::Carp 'fatalsToBrowser';
> > > =20
> > > +use IO::Socket;
> > > +use Geo::IP::PurePerl;
> > > +
> > >  require '/var/ipfire/general-functions.pl';
> > >  require "${General::swroot}/lang.pl";
> > >  require "${General::swroot}/header.pl";
> > > +require "${General::swroot}/geoip-functions.pl";
> > >  require "${General::swroot}/graphs.pl";
> > > =20
> > >  my %color =3D ();
> > > @@ -99,6 +103,12 @@ if ( $querry[0] ne~ ""){
> > >  						<strong>$Lang::tr{'nameserver
> > > '}</strong>
> > >  					</th>
> > >  					<th align=3D"center">
> > > +						<strong>$Lang::tr{'flag'}</st =20
> > > rong> =20
> > > +					</th>
> > > +					<th align=3D"center">
> > > +						<strong>$Lang::tr{'rdns'}</st =20
> > > rong> =20
> > > +					</th>
> > > +					<th align=3D"center">
> > >  						<strong>$Lang::tr{'status'}</ =20
> > > strong> =20
> > >  					</th>
> > >  				</tr>
> > > @@ -138,10 +148,25 @@ END
> > >  		}
> > > =20
> > >  		my $table_colour =3D ($id++ % 2) ? $color{'color22'} :
> > > $color{'color20'};
> > > +	=09
> > > +		my $iaddr =3D inet_aton($nameserver);
> > > +		my $rdns =3D gethostbyaddr($iaddr, AF_INET);
> > > +		if (!$rdns) { $rdns =3D $Lang::tr{'lookup failed'}; }
> > > +
> > > +		my $gi =3D Geo::IP::PurePerl->new();
> > > +		my $ccode =3D $gi->country_code_by_name($nameserver);
> > > +		my $fcode =3D lc($ccode);
> > > +		my $flag_icon =3D &GeoIP::get_flag_icon($fcode);
> > > =20
> > >  		print <<END;
> > >  			<tr bgcolor=3D"$table_colour">
> > >  				<td>$nameserver</td>
> > > +				<td align=3D"center">
> > > +					<a href=3D"country.cgi#$fcode"><img
> > > src=3D"$flag_icon" border=3D"0" align=3D"absmiddle" alt=3D"$ccode"
> > > title=3Drumoured"$ccode"></a>
> > > +				</td>
> > > +				<td align=3D"center">rumoured
> > > +					$rdns
> > > +				</td>
> > >  				<td bgcolor=3D"$bgcolour" align=3D"center">
> > >  					<font =20
> > > color=3D"$colour"><strong>$message</strong></font> =20
> > >  				</td>
> > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > > index af96a6445..4cf866a3a 100644
> > > --- a/langs/de/cgi-bin/de.pl
> > > +++ b/langs/de/cgi-bin/de.pl
> > > @@ -1951,6 +1951,7 @@
> > >  'quick playlist' =3D> 'Quick Playlist',
> > >  'ram' =3D> 'RAM-Speicher',
> > >  'random number generator daemon' =3D> 'Random Number Generator Daemon',
> > > +'rdns' =3D> 'rDNS',
> > >  'read bytes' =3D> 'Gelesene Bytes',
> > >  'read list' =3D> 'Liste der Leseberechtigten',
> > >  'real address' =3D> 'Reale Addresse',
> > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > > index 7e4f95ccf..946aba873 100644
> > > --- a/langs/en/cgi-bin/en.pl
> > > +++ b/langs/en/cgi-bin/en.pl
> > > @@ -1989,6 +1989,7 @@
> > >  'quick playlist' =3D> 'Quick Playlist',
> > >  'ram' =3D> 'RAM',
> > >  'random number generator daemon' =3D> 'Random Number Generator Daemon',
> > > +'rdns' =3D> 'rDNS',
> > >  'read bytes' =3D> 'Read Bytes',
> > >  'read list' =3D> 'list with readonly hosts',
> > >  'real address' =3D> 'Real Address', =20
>=20
>=20

--===============3271521874721952860==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxvQ084Z0FDZ2tRZ0hudy8yK1EKQ1FkNDV3Ly9RYytVNkplRWVw
VXZxNlRMcVdtNS8wdnA5RmRwQVF4VS9oNWJMdnBVMDhSb3ZOeHg4L3dZMjdKZwpNUGF0cTloWlI2
N2dTaTgwTmxaMlhCQlRZTUc5Y09LMVVlSm5OQ1VwR3YwcU9MemI5RE5mSGs2ZVp1Q21pUUlzCkdr
U2M2cUUwM2ZML3NxTjVJWVhiVUdsQ1IreWJIb3prbkRRNHRCTUlTVjlBL2V6OWJ1QzA0MUtwNGYw
K3JiQ1oKazRoUU83VnpHZGpQZzVJdUlEdkx6Mk84MVdGbUIza0ZEWUdXMk9TMkcrVTJYeWZCblJ2
cWlnbldJazFkanM0YgozYk1QbWIvSkhycVVxYVd6cVdTSmlxcDU3ZnNKM1VDRHNLbTlZaUJiUmti
cWFsN01xYk1pdXNZUmxxNlJTcTlVCkIraWo1NHJPUDk1TG5PNHdPNFZJNGJob0RNMzFuRXhteWpY
QjhaVFVRWk44bEJGVEt4TkUyeXczbjU5ejVxTncKN2xpSURtOU5ZT2gxRy8wTXU5S1lUNTBSWlkr
VGQ1VXQwRll2MnIwYkJ4bXRqRnZUQVBLbWVhZmpSVlp0ek5VZQpoTUVOTDVOb3MvOUNEaG0vZWZJ
YWY1dWJNaUVkUEVFeVlkaWZQZ2VPSFlPL1dNdWFsNVlzTlI0TUJVNWZFTFJwCnp6MXlVUEd3d3Fh
M1Ftc1FEd3dGeVErQkpLYWsyMHExZWpaZzV6WitJdHYxSytJdjhGSGJNSXVqSWRPRllCalYKalV2
Njh4cG1zYW55L0dPV2Rtb0IvWTF0MU1TaUYvME1SNEd5RlRzL29weUE3NFd2bWM3bDZNMlJlejRw
NmhZYwp5REtvQy9nNCs2ZzJtemFjSTgzSU93S0wzeDZOT0tjSGlZcXg2K3RvRU1xZTBkSFgxVDg9
Cj1QVTRKCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============3271521874721952860==--