From: IT Superhack <itsuperhack@web.de>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Add GeoIP location to nameservers
Date: Mon, 11 Jan 2016 09:10:42 +0100 [thread overview]
Message-ID: <56936382.1070008@web.de> (raw)
In-Reply-To: <1452464143.5665.14.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4334 bytes --]
Hello Michael,
Michael Tremer:
> Hi,
>
> On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote:
>> Hello Michael, hello Matthias,
>>
>> Michael Tremer:
>>> Just out of curiosity, why do you find this information so helpful?
>>
>> As Matthias said already, is is more a "nice to have" than something
>> which is seriously needed.
>
> This is not too much of an argument. My argument against this is that
> it brings down page load times because of a not too useful information.
>
>> I wrote this patch because a friend of mine in France discovered that
>> his ISP assigns DNS servers from Australia and Great Britain, which
>> was slowing down DNS resolving a lot.
>
> I get that and this is actually a pretty good one.
>
> That only leaves resolvers like 8.8.8.8 which will show "US" but
> actually are located at many places around the world. Let's hope that
> people don't get the wrong thing from the flag - or actually start
> changing their DNS servers to something else :)
>
>> Therefore I thougt it might be useful to see in which countries your
>> DNS servers are located, just in case you didn't set some by your
>> own.
>
> It is sometimes. Although geographic location doesn't mean that it is
> close on the network.
>
> A system in GB is probably not an issue. Australia actually is a bit
> far away.
The problem here was something else: A couple of months ago, his ISP
assigned DNS servers in France, which worked quite well and belonged
to the ISP, according to whois information.
The list of assigned DNS servers must have changed somewhere in the
meantime, and he still does not know why since the ISP does not answer
related questions.
So, if your ISP suddenly assigns you DNS servers in a very different location
than it has done long before, you know that something might be wrong here.
(The Quantumhand-program of the NSA lists "DNS injection" as a possible
method to impersonate a server - why not even change the DNS server to
one they own? Would be much easier...)
[http://securityaffairs.co/wordpress/23129/hacking/quantumhand-nsa-impersonates-facebook-inject-malware.html]
>
>> In general, adding geographic information to IP addresses is very
>> helpful in my point of view because anomalies can be detected much
>> better and more precise firewall rules are possible.
>
> I don't get why.
For example, many active connections from an internal host to china,
korea or an african country might indicate that a host is infected.
If someone need to call ipinfo.cgi for every IP he/she/it does not know,
it will end in a nightmare...
>
>> However, some thing might still be improved: For example, the
>> ipinfo.cgi
>> file shows the IP address, the rDNS name, whois information, but not
>> the appropriate flag. So, if someone scrolls through the connection
>> tracking
>> page, he/she/it sees the source and destination IPs of any active
>> (and
>> recently closed) connection. At the moment, there is no way of
>> telling
>> which country an IP belongs to - without using additional web
>> services, of
>> course - since the flag is shown neither at the connection tracking
>> page
>> nor at the ipinfo.cgi page. This isn't very helpful, is it?
>
> The ipinfo.cgi page shows the whois information for an IP address. That
> may contain the name and HQ location of a company this IP address
> belongs to, but that does *not* mean that the host is actually located
> in that country - and almost certainly not at that address.
That's right, GeoIP shows the location of the server and not those of
its owner.
But looking at this whois output:
CariNet, Inc. NET-26 (NET-71-6-158-128-1) 71.6.158.128 - 71.6.158.191
CariNet, Inc. CARINET-5 (NET-71-6-128-0-1) 71.6.128.0 - 71.6.255.255
Not very helpful in first place, is it? ;-)
>
> The GeoIP database is a completely different thing.
>
> Judging by the location of the host does make any sense if you care
> about security.
Basically, yes. As I mentioned above, GeoIP makes more sense to detect
anomalies and to allow, e.g., only VPN access from countries which are
necessary.
>
>>
>> That is basically the motivation behind the two patches I submitted
>> recently.
>>
>> Best regards,
>> Timmothy Wilson
Best regards,
Timmothy Wilson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2016-01-11 8:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5686D08D.7000802@ipfire.org>
2016-01-04 16:59 ` Michael Tremer
2016-01-04 17:16 ` Matthias Fischer
2016-01-10 16:25 ` IT Superhack
2016-01-10 22:15 ` Michael Tremer
2016-01-11 8:10 ` IT Superhack [this message]
2016-01-19 1:30 ` Michael Tremer
2016-01-19 6:57 ` IT Superhack
2016-01-01 17:11 IT Superhack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56936382.1070008@web.de \
--to=itsuperhack@web.de \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox