From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] display rDNS and GeoIP information for used nameservers
Date: Thu, 09 Nov 2017 22:41:46 +0000
Message-ID: <1510267306.2945.12.camel@ipfire.org>
In-Reply-To: <20171108225853.1bf0e979.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7238782256807906134=="
List-Id: <development.lists.ipfire.org>

--===============7238782256807906134==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Wed, 2017-11-08 at 22:58 +0100, Peter M=C3=BCller wrote:
> Hello Michael,
>=20
> > Hi,
> >=20
> > On Tue, 2017-11-07 at 20:25 +0100, Peter M=C3=BCller wrote:
> > > Hello Michael,
> > >  =20
> > > > Hi,
> > > >=20
> > > > this quite a nice idea, but I have one small problem here which I thi=
nk could
> > > > potentially confuse the users more than it helps.
> > > >=20
> > > > And that is anycast DNS servers. =20
> > >=20
> > > Oh, yes. *sigh* =20
> > > >=20
> > > > So for example for the famous Google DNS 8.8.8.8 the GeoIP location w=
ould be US
> > > > which technically is correct, but I know for a fact that I am using a=
n instance
> > > > that is located in the Telehouse which just a few miles away from me =
and not on
> > > > the other side of the big pond.
> > > >=20
> > > > So can we do anything to make this better and should we? =20
> > >=20
> > > The answer is simple and gives absolutely no satisfaction: No, we can't.
> > >=20
> > > The (free) GeoIP database IPFire uses is somewhat ugly when it comes to=
 anycast
> > > networks, or even the networks of big DSL companies (see below): By loo=
king at
> > > the output of "geoiplookup [anycast IP]", there is no chance to see tha=
t something
> > > is wrong.
> > >=20
> > > Further, there are two problems with these networks:
> > > (a) Only the company operating an anycast system knows where a certain =
IP is
> > > actually located - as far as I am concerned, there is no (reliable) way=
 to guess
> > > this from outside. Some companies set informative PTR records such as "=
muc-x.y.z.anycast.company.com"
> > > [muc =3D Munich], but even that does not mean anything in technical ter=
ms. =20
> >=20
> > Not even they know where you are being routed to in some cases.
> >=20
> > > (b) There is a huge difference between the accuracy of multinational co=
mpany's
> > > networks in the free and non-free edition of the GeoIP database. For ex=
ample, AOL
> > > also owns subnets for their customers in Brazil and other countries out=
side US,
> > > but the free database returns "US" for any AOL network queried.
> > > Same goes for special categories such as "A1" (anonymous proxies): Even=
 big Tor
> > > nodes with static IPs or some huge VPN providers are mostly not listed =
there. :-| =20
> >=20
> > Well, the accuracy isn't really there. There is no guarantee the
> > information is correct or precise and basically this is completely
> > messy.
>=20
> True. Sometimes I am thinking about building my own country GeoIP database,=
 maybe
> as a holiday project initially...

I would love to have a second source that isn't Maxmind and probably it
is quite possible to just walk through whois and create something that
is roughly accurate, but still this is probably not worth investing
time into it.

> >=20
> > There are other things like LOC records in DNS, but unfortunately
> > nobody seems to be using that.
>=20
> I understand this. As a server operator, I do not want people to know in
> which city (or building) my devices are located.

Well, if you would just have a look at where we are hosting you will
find the address of the servers on their website. It is very easy to
find out in many cases.

> >=20
> > There is an option c) Sometimes it says it in the whois, but that again
> > is not at all a reliable source of information.
>=20
> Location information on city base is never quite accurate, but at country l=
evel,
> it should be possible for most cases.
>=20
> Well, at the moment, we do not have anything better (see above). Apart from=
 these
> issues, was the patch okay?

I think this is fine then. I did not expect a solution, but wanted to
have the discussion for the record.

Please use the new lookup function from the other patch and please add
something to the documentation that summarises what we discussed here.

Best,
-Michael

>=20
> Best regards,
> Peter M=C3=BCller
> >=20
> > > To sum it up: I am aware of these - let's say - inaccuracies. However, =
I think we
> > > need to stay consistent here: If we use GeoIP for firewall rules, which=
 I consider
> > > a great feature, we should work with the same information that iptables=
 processes
> > > if a user queries an IP address.
> > >=20
> > > This is especially true for the connection tracking table (will send a =
working patch
> > > for this later on), but otherwise, debugging of GeoIP firewall rules be=
comes very
> > > hard. =20
> >=20
> > Very true.
> >=20
> > > Just as a remark: It is interesting that the Cloudflare networks are no=
t listed in
> > > the GeoIP database anymore (perhaps because they are anycast, too). But=
 according
> > > to bug #11482, this is not a good idea. =20
> >=20
> > I have heard bad things from them that they are not a very nice player.
> > It is rumored that they are a pain in the rear end...
> >=20
> > -Michael
> >=20
> > > Best regards,
> > > Peter M=C3=BCller =20
> > > >=20
> > > > -Michael
> > > >=20
> > > > On Mon, 2017-11-06 at 19:09 +0100, Peter M=C3=BCller wrote: =20
> > > > > Display rDNS/PTR record and GeoIP information for used nameservers
> > > > > on the netexternal.cgi WebUI page. These information might be useful
> > > > > for debugging.
> > > > >=20
> > > > > Thanks to Matthias Fischer for style improvements.
> > > > >=20
> > > > > Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> > > > > ---
> > > > >  html/cgi-bin/netexternal.cgi | 25 +++++++++++++++++++++++++
> > > > >  langs/de/cgi-bin/de.pl       |  1 +
> > > > >  langs/en/cgi-bin/en.pl       |  1 +
> > > > >  3 files changed, 27 insertions(+)
> > > > >=20
> > > > > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexterna=
l.cgi
> > > > > index 299612d4c..cd2223ac6 100644
> > > > > --- a/html/cgi-bin/netexternal.cgi
> > > > > +++ b/html/cgi-bin/netexternal.cgi
> > > > > @@ -25,9 +25,13 @@ use strict;
> > > > >  #use warnings;
> > > > >  #use CGI::Carp 'fatalsToBrowser';
> > > > > =20
> > > > > +use IO::Socket;
> > > > > +use Geo::IP::PurePerl;
> > > > > +
> > > > >  require '/var/ipfire/general-functions.pl';
> > > > >  require "${General::swroot}/lang.pl";
> > > > >  require "${General::swroot}/header.pl";
> > > > > +require "${General::swroot}/geoip-functions.pl";
> > > > >  require "${General::swroot}/graphs.pl";
> > > > > =20
> > > > >  my %color =3D ();
> > > > > @@ -99,6 +103,12 @@ if ( $querry[0] ne~ ""){
> > > > >  						<strong>$Lang::tr{'nameserver
> > > > > '}</strong>
> > > > >  					</th>
> > > > >  					<th align=3D"center">
> > > > > +						<strong>$Lang::tr{'flag'}</st   =20
> > > > > rong>   =20
> > > > > +					</th>
> > > > > +					<th align=3D"center">
> > > > > +						<strong>$Lang::tr{'rdns'}</st   =20
> > > > > rong>   =20
> > > > > +					</th>
> > > > > +					<th align=3D"center">
> > > > >  						<strong>$Lang::tr{'status'}</   =20
> > > > > strong>   =20
> > > > >  					</th>
> > > > >  				</tr>
> > > > > @@ -138,10 +148,25 @@ END
> > > > >  		}
> > > > > =20
> > > > >  		my $table_colour =3D ($id++ % 2) ? $color{'color22'} :
> > > > > $color{'color20'};
> > > > > +	=09
> > > > > +		my $iaddr =3D inet_aton($nameserver);
> > > > > +		my $rdns =3D gethostbyaddr($iaddr, AF_INET);
> > > > > +		if (!$rdns) { $rdns =3D $Lang::tr{'lookup failed'}; }
> > > > > +
> > > > > +		my $gi =3D Geo::IP::PurePerl->new();
> > > > > +		my $ccode =3D $gi->country_code_by_name($nameserver);
> > > > > +		my $fcode =3D lc($ccode);
> > > > > +		my $flag_icon =3D &GeoIP::get_flag_icon($fcode);
> > > > > =20
> > > > >  		print <<END;
> > > > >  			<tr bgcolor=3D"$table_colour">
> > > > >  				<td>$nameserver</td>
> > > > > +				<td align=3D"center">
> > > > > +					<a href=3D"country.cgi#$fcode"><img
> > > > > src=3D"$flag_icon" border=3D"0" align=3D"absmiddle" alt=3D"$ccode" =
=20
> > > > > title=3Drumoured"$ccode"></a> =20
> > > > > +				</td>
> > > > > +				<td align=3D"center">rumoured
> > > > > +					$rdns
> > > > > +				</td>
> > > > >  				<td bgcolor=3D"$bgcolour" align=3D"center">
> > > > >  					<font   =20
> > > > > color=3D"$colour"><strong>$message</strong></font>   =20
> > > > >  				</td>
> > > > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > > > > index af96a6445..4cf866a3a 100644
> > > > > --- a/langs/de/cgi-bin/de.pl
> > > > > +++ b/langs/de/cgi-bin/de.pl
> > > > > @@ -1951,6 +1951,7 @@
> > > > >  'quick playlist' =3D> 'Quick Playlist',
> > > > >  'ram' =3D> 'RAM-Speicher',
> > > > >  'random number generator daemon' =3D> 'Random Number Generator Dae=
mon',
> > > > > +'rdns' =3D> 'rDNS',
> > > > >  'read bytes' =3D> 'Gelesene Bytes',
> > > > >  'read list' =3D> 'Liste der Leseberechtigten',
> > > > >  'real address' =3D> 'Reale Addresse',
> > > > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > > > > index 7e4f95ccf..946aba873 100644
> > > > > --- a/langs/en/cgi-bin/en.pl
> > > > > +++ b/langs/en/cgi-bin/en.pl
> > > > > @@ -1989,6 +1989,7 @@
> > > > >  'quick playlist' =3D> 'Quick Playlist',
> > > > >  'ram' =3D> 'RAM',
> > > > >  'random number generator daemon' =3D> 'Random Number Generator Dae=
mon',
> > > > > +'rdns' =3D> 'rDNS',
> > > > >  'read bytes' =3D> 'Read Bytes',
> > > > >  'read list' =3D> 'list with readonly hosts',
> > > > >  'real address' =3D> 'Real Address',   =20
> > >=20
> > >  =20
>=20
>=20

--===============7238782256807906134==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxvRTJhb0FDZ2tRZ0hudy8yK1EKQ1FlcFhoQUFwb1F6SDVleDJC
d1llNTRuNVZWb0t0bW1WcUlkQU5pWDdReE5nY3NFc1dSMWUzOWs4K1R3TFQ3SQpwWGg2L1RPY2NS
ZHFJQ3plWU9JelVkbGZlcHNubUI0QTg3TkkyTUE2ZENGdWJJY2lENFZGUHFWUFhzU1IyaTJrCnF3
K0Fya0o2R2dFeEduR3kwV3MwMUswRnRMWWxaQzBDVWNhQjlCYkN5Sk1oQmtySkZnTnFvTXcrSjMr
WG1jR0kKdy9taTdCZVRicGVTSlQyYTd3TTA3ZHZaTlViWGZPdUlVUU91d1hrOVhFRW9CYThzbFI3
SzhwNC96SWlmVkJzWApINTAyVkQ0YVJwdTVrT0xqUXpYLzBVRDJxaWdudnpHK0FDdmtRN0xzTGph
cm9VYXR5dURSMm4xNEszazJYTVJICjZuUGtpcU12dzRuQU5UTUs3Y2x6eEQrV1BpWlhvRGpnQm9v
NTVuVmJRNXFUMDNyQlNLd2thdGo1YlF4cnBGcEcKTThJSGVVb0lsK0RxeTNQMGQydUF1Si9Da2E3
MUg1VFNiamUvZlk0ckxEeG5LVW9waGpPZHNVcVZIbGRtQVN1NwpSaHZ5WmRwVlZEK3QrYTFwUUQ0
SVJGMkRzS2o4VVpyeUlkbVkvU0RlS2pyUkhQU1BwZ2FkKzMyWTVhNUgyNUtiCmhlVzlhaE00Yklr
LzZGMU9kSE1HczZGRnFFVHl4RHdWdDl6WE0xK21weDRCQjRBbjk4S0xWeWg2Y0R0UlgvYlIKSlR2
U0VpOEpUQ2RVZFcwR3RXWEo1dFlNYURDL0JaUVJEQzJCTXRlTHljcFVLQ2RnNHJSMlQ2ekJ6YTJ0
ZVRxeApGOCtGYllnNU5kYU9XZmhLUVBIVFQyek92RUFUQkh6MkU4ckJneWNTR014VkhkcndIR0k9
Cj1JU1FyCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============7238782256807906134==--